...
- It is not clear that the association between a subject and an AccessRequirement is not a part of the AccessRequirement.
Option 2 - Allow AccessRequirement to be created
...
without specifying Subjects
- Remove the list of RestrictableObjectDescriptor from AccessRequirement DTO.
- Create & Update AccessRequirement will not associate the AccessRequirement to any subjects.
- Add new set of APIs to associate a subject to an AccessRequirement and to remove the association.
- Add new APIs to list AccessRequirement one creates and have access to.
...
After discussion on July 7th, 2017, we decided that the cons in option 2 can be addressed by the client presenting the same workflow to users, and handle more API calls in the background. This made option 2 a better choice since it addresses both problem #1 and #2. It also allows us to address #3 later.
New Services
These are new APIs for option 2.
Action | Intended Users | Method | URI | RequestBody | ResponseBody |
---|---|---|---|---|---|
Apply an AccessRequirement to a list of subjects | ACT | PUT | /accessRequirement/{id}/association | AccessRequirementAssociationRequest | |
Removing a list of subjects from an AccessRequirement | ACT | DELETE | /accessRequirement/{id}/association | AccessRequirementAssociationRequest |
AccessRequirementAssociationRequest |
---|
List<RestrictableObjectDescriptor> subjects |