docs: add notes on ABAC and weakness of RBAC

author: mo khan <mo@mokhan.ca> 2025-03-17 14:45:41 -0600
committer: mo khan <mo@mokhan.ca> 2025-03-17 14:45:41 -0600
commit: 94d084a51172b7e3851779e9e052435084d4abfe (patch)
tree: 2af690135fe184c34dedec7f34447fb12092ed40 /doc/share/authz/FAQ.md
parent: f9168083b787118af5577015a3c7f9efa63c8e80 (diff)
1 files changed, 27 insertions, 0 deletions
diff --git a/doc/share/authz/FAQ.md b/doc/share/authz/FAQ.md
index 3d560f1..8e73beb 100644
--- a/doc/share/authz/FAQ.md
+++ b/doc/share/authz/FAQ.md
@@ -4,3 +4,30 @@
 * Q: How do we define the scope of a permission? (hierarchical?)
 * Q: What is the unique identifier for each security principal across service boundaries? (i.e. bigint, ulid, uuid, email)
 * Q: What permissions do each of the standard roles have today?
+* Q: How does a permission cascade down a group hierarchy?
+
+```
+Organization
+  Group A
+    * Roles
+      * Developer
+      * Maintainer
+      * Custom A
+        * base: developer
+        * permissions:
+          * admin_vulnerability: true
+            * read_vulnerability: true (implicitly)
+      * Custom B
+        * base: maintainer
+        * permissions:
+          * Doesn't really matter because Maintainer has all the permissions available via a custom role. <- Fact check this
+    Group Aa
+      Project Aa1
+      Project Aa2
+    Group Aaa
+      Project Aaa1
+      Project Aaa2
+```
+
+* Q: If a user has a membership at `Group A`, does the permissions associated with that
+membership cascade down to `Group Aa` and `Group Aaa`?
author	mo khan <mo@mokhan.ca>	2025-03-17 14:45:41 -0600
committer	mo khan <mo@mokhan.ca>	2025-03-17 14:45:41 -0600
commit	94d084a51172b7e3851779e9e052435084d4abfe (patch)
tree	2af690135fe184c34dedec7f34447fb12092ed40 /doc/share/authz/FAQ.md
parent	f9168083b787118af5577015a3c7f9efa63c8e80 (diff)