Let me put a bit more precision into my question:
Givens / understanding:
Capabilities can only be disabled (= not granted; this is the default), or enabled (= granted). (They cannot be set to disabled, but they can only be left disabled by not enabling them.)
Properties can take numeric, or alphanumeric, values, e.g. srchJobsQuota=10, srchIndexesAllowed=main.
Scenario 1:
- role_1 has capabilities cA=enabled, cB=enabled, cC=enabled, properties pA=100, pB=100, pC=100;
- role_2 has capabilities cC=enabled, cD=enabled, properties pB=200, pC=1, pD=100;
- role_4 imports role_1 and role_2.
Question Q1:
role_4 then has
- capabilities cA=enabled, cB=enabled, cC=enabled, cD=enabled, and
- properties pA=100, pB=200 (from role_2, because 200>100), pC=100 (from role_1, because 100>1), pD=100.
Is this correct?
Scenario 2:
- role_1 has capabilities cA=enabled, cB=enabled, cC=enabled, properties pA=100, pB=100, pC=100;
- role_2 has capabilities cC=enabled, cD=enabled, properties pB=200, pC=1, pD=100;
- role_2 imports role_1;
- role_3 imports role_2;
- role_3 does not import role_1 explicitly;
Then, what is the outcome:
Question Q2.A -- with regards to capabilities:
Option A1:
role_3 has
- capabilities cA=enabled, cB=enabled, cC=enabled, cD=enabled.
This would be identical to role_3 importing both, role_1 and role_2.
I.e.:
- capabilities are inherited recursively;
Option A2:
role_3 has
- capabilities cC=enabled, cD=enabled.
I.e.:
- capabilities are not inherited recursively;
Which option is correct?
Question Q2.B -- with regards to properties:
Option B1:
role_3 has
- properties pA=100, pB=200 (from role_2, because 200>100), pC=100 (from role_1, because 100>1), pD=100.
This would be identical to role_3 importing both, role_1 and role_2.
I.e.:
- properties are inherited recursively, taking the highest value for a property defined in more than one role within the inheritance chain.
Option B2:
role_3 has
- properties pA=100, pB=200 (from role_2, because role_2 overwrites role_1), pC=1 (from role_2, because role_2 overwrites role_1), pD=100.
I.e.:
- properties are inherited recursively, taking the value of the "youngest generation" of ancestor roles for a property defined in more than one role within the inheritance chain.
Option B3:
role_3 has
- properties pB=200 (from role_2), pC=1 (from role_2), pD=100.
I.e.:
- properties are not inherited recursively.
Option B4:
role_3 has
- no properties set.
I.e.:
- properties are not inherited (at all).
Which one is correct?
Thanks a lot in advance for helping clarify this.
... View more