On Thu, Dec 2, 2010 at 21:31, David Pratt <[email protected]> wrote: > Hi Randall. Am not opposed to this either, however we are currently > two dbs with _users at present and see per document authorization as > an opportunity to extend current authorization policy. >
_users are separate from the rules in my mind. A typical use case in my imagination would have the access rules in the application's db, acting on roles. Then individual _users on any Couch that replicated the app could give themselves the appropriate role. Think of how on many linux systems users with the audio group can access sound devices, but simply installing audio related software sets up the group. Roles referenced by validation/access functions are implicitly generated groups and then individual instances that have replicated the app can set up the membership for that role for any local users who should use the app. > > If not a separate db, can you elaborate on your ideas and how you > would reconcile with _users with roles, and with Admins and Readers > groups. What sort of mechanism are you suggesting? > We'll have to see how performance goes, but I'd encourage any efforts for design-doc level read validations.
