RBAC: Proposal implement maxDepth Inheritance Feature for RBAC groups

[AndrienkoAleksandr]

What do you want to improve?

The goal of this issue is to introduce a new feature into the RBAC (Role-Based Access Control) system that enables the enforcement of a maximum depth of inheritance for RBAC groups. This feature will help maintain access control policies, prevent excessive complexity, and enhance the overall efficiency of the RBAC system. This feature should allow for us support group inheritance with specified level depth. maxDepth level should be configurable using application config.

Context

RBAC systems are designed to manage and control access to resources within an organization. In RBAC, users are assigned to roles, and roles are assigned to groups. Inheritance within these groups allows for the propagation of permissions. However, in some scenarios, it's essential to place restrictions on the depth of this inheritance to prevent unintended and complex access hierarchies.

Interesting subfeatures:

• We can disable group inheritance if user will specify max depth level 1.
• We can disable group support if user will specify max depth level 0.

Benefits:

Enhanced Access Control: By limiting the depth of inheritance, we ensure that access hierarchies do not become overly complex, making it easier to manage and audit access rights.

Improved Performance: Reducing the depth of inheritance can lead to improved access control performance, as fewer levels of inheritance need to be evaluated.

Policy Compliance: This feature aligns with security and compliance best practices by offering greater control over access management.

What is the current behavior?

Currently, our system supports group inheritance throughout the entire user group hierarchy. However, this approach may result in performance issues when dealing with extensive group hierarchies.

What is the new behavior?

Permission admin can configure group inheritance depth using application config.