Hello,
I would like to have a discussion on the meaning of these entities in
general and with respect to how they are modeled in Triplesec today in
the trunk:
o Permissions
o Roles
o Groups
I've been talking to djencks about this stuff for a bit now as we have
started working together on various aspects of Triplesec. I'd like to
have a general discussion about these concepts here so we can all be on
the same page with what they are. Let me kick this off.
Permissions
===========
To me a permission is a right that is granted to access a resource or
perform some kind of protected operation. To a large degree the
semantics of permissions are undefined except within a specific
application. For example the permission to accessPayroll may not have
much meaning outside of an application dealing with payroll management.
In Triplesec (trunk) a permission is just a label without any meaning.
The semantics of the permission is left up to the application to define.
Roles
=====
A Role is a collection of permissions associated together to represent
the rights need by one to perform the actions or activities of a
function. For our purposes we can just say a role is a collection of
permissions.
As a collection of permissions which are application specific, roles
themselves become application specific.
In Triplesec (trunk) a role is just a collection of granted permissions
with a name. Roles entries in Triplesec have a SINGLE-VALUED 'roleName'
and a MULTI-VALUED 'grants' attribute. You just add the names of
permissions to a role entry to add them to the role.
Groups
======
Although you can group anything I think we're talking more about groups
of users in this context. Groups are primarily used to make
administration tasks easier. By grouping people and the can be managed
as a single group rather than performing the same upkeep operations on
all the members of the group.
In Triplesec a group is a static LDAP group (groupOfUniqueNames) or user
DNs right now. We may expand this to include dynamic groups in the future.
Thoughts? Corrections?
Alex
begin:vcard
fn:Alex Karasulu
n:Karasulu;Alex
org:Apache Software Foundation;Apache Directory
adr:;;1005 N. Marsh Wind Way;Ponte Vedra ;FL;32082;USA
email;internet:[EMAIL PROTECTED]
title:Member, V.P.
tel;work:(904) 791-2766
tel;fax:(904) 808-4789
tel;home:(904) 808-4789
tel;cell:(904) 315-4901
note;quoted-printable:AIM: alexokarasulu=0D=0A=
MSN: [EMAIL PROTECTED]
Yahoo!: alexkarasulu=0D=0A=
IRC: aok=0D=0A=
PGP ID: 1024D/4E1370F8 BBCC E8D8 8756 2D51 C3D4 014A 3662 F96F 4E13 70F8=0D=0A=
x-mozilla-html:FALSE
url:http://people.apache.org/~akarasulu
version:2.1
end:vcard
