JIRA: SAK-131: Add Role based SU security
This test plan covers the sub-story SAK-354: add realm based security to SuTool ONLY
Description:
This modification to the SU Tool is intended to allow users who are not SuperUser to SU other users. On Start up, the tool looks for or creates a security realm (reference: realms tool).... by default the realms name is '!su.can_su_realm' but it can be modified by editing the tool registration file.
Administrators should add roles to this realm that have the correct security function (permission). This function name is 'su.can_su' by default (but can be changed by an administrator by editing the tool registration file).
The permission matrix looks like this:
source |
function |
target |
result |
|---|---|---|---|
user A |
can SU |
user B |
true/false |
if:
Priv Users = users that are added to a role in the 'SU Realm' which has the 'Can SU' security function
NonPriv Users =
1) users that are not added to a role in the 'SU Realm' which has the 'Can SU' security function
or 2) users that are added to a role in the 'SU Realm' which does not have the 'Can SU' security function
SuperUser = any user that has the magical name or ability to edit the admin home site.