Here is my setup. Assume I have 100 processes.
I've created a role that grants SERVICE_INVOKE permissions.
I've assigned this role to the "All Principals" group.
This was an easy way of granting invoke permissions to all users on all processes.
Now, I want to add process 101. But, I only want a limited set of users to be able to invoke it. How do accomplish this?
Because of the role I created earlier, all principals will get invoke permissions on process 101 by default. It appears to me that in order to accomplish this I will have to
- Remove the SERVICE_INVOKE permission from my role.
- Add the "All Principals" principal with INVOKE_PERM permission on each of the 100 processes
- Add the limited set of users with INVOKE_PERM to process 101
I didn't see a way of denying "All Principals" invoke permissions on process 101.