Permissions =========== So would it be correct to say that a permission is a Class with 3 properties:
String name; //The name of the permission URI resource; //The resource/method/operation Boolean access; //Whether access is allowed Groups =========== Can we create a group of users and assign a role to that group, thereby assigning the role to all the users in that group? --- Alex Karasulu <[EMAIL PROTECTED]> wrote: > Hello, > > I would like to have a discussion on the meaning of > these entities in > general and with respect to how they are modeled in > Triplesec today in > the trunk: > > o Permissions > o Roles > o Groups > > I've been talking to djencks about this stuff for a > bit now as we have > started working together on various aspects of > Triplesec. I'd like to > have a general discussion about these concepts here > so we can all be on > the same page with what they are. Let me kick this > off. > > Permissions > =========== > > To me a permission is a right that is granted to > access a resource or > perform some kind of protected operation. To a > large degree the > semantics of permissions are undefined except within > a specific > application. For example the permission to > accessPayroll may not have > much meaning outside of an application dealing with > payroll management. > > In Triplesec (trunk) a permission is just a label > without any meaning. > The semantics of the permission is left up to the > application to define. > > Roles > ===== > > A Role is a collection of permissions associated > together to represent > the rights need by one to perform the actions or > activities of a > function. For our purposes we can just say a role > is a collection of > permissions. > > As a collection of permissions which are application > specific, roles > themselves become application specific. > > In Triplesec (trunk) a role is just a collection of > granted permissions > with a name. Roles entries in Triplesec have a > SINGLE-VALUED 'roleName' > and a MULTI-VALUED 'grants' attribute. You just add > the names of > permissions to a role entry to add them to the role. > > Groups > ====== > > Although you can group anything I think we're > talking more about groups > of users in this context. Groups are primarily used > to make > administration tasks easier. By grouping people and > the can be managed > as a single group rather than performing the same > upkeep operations on > all the members of the group. > > In Triplesec a group is a static LDAP group > (groupOfUniqueNames) or user > DNs right now. We may expand this to include > dynamic groups in the future. > > Thoughts? Corrections? > > Alex > > > begin:vcard > fn:Alex Karasulu > n:Karasulu;Alex > org:Apache Software Foundation;Apache Directory > adr:;;1005 N. Marsh Wind Way;Ponte Vedra > ;FL;32082;USA > email;internet:[EMAIL PROTECTED] > title:Member, V.P. > tel;work:(904) 791-2766 > tel;fax:(904) 808-4789 > tel;home:(904) 808-4789 > tel;cell:(904) 315-4901 > note;quoted-printable:AIM: alexokarasulu=0D=0A= > MSN: [EMAIL PROTECTED] > Yahoo!: alexkarasulu=0D=0A= > IRC: aok=0D=0A= > PGP ID: 1024D/4E1370F8 BBCC E8D8 8756 2D51 C3D4 > 014A 3662 F96F 4E13 70F8=0D=0A= > > x-mozilla-html:FALSE > url:http://people.apache.org/~akarasulu > version:2.1 > end:vcard > > ____________________________________________________________________________________ Bored stiff? Loosen up... Download and play hundreds of games for free on Yahoo! Games. http://games.yahoo.com/games/front
