Ersin Er wrote:
On 1/25/07, Alex Karasulu <[EMAIL PROTECTED]> wrote:
Hello,
Hi,
I will extend the discussion using my recent experience with the subject.
I would like to have a discussion on the meaning of these entities in
general and with respect to how they are modeled in Triplesec today in
the trunk:
o Permissions
o Roles
o Groups
These can be extended to the following entities:
Policies
Subjects
Rules
Conditions
Where is this from? Is this SUN's commercialized names for things they
have in their access control manager?
Subjects include any LDAP representable (or somewhat more abstract)
user group: LDAP Group, LDAP User, Different User Selections based on
some filter or bind options etc.
Rules are the actions that can be permitted to subjects. The most
common rule type is URL Access Rules. In Triplesec's case, the thing
supported by this scheme can be named as String Rules. Triplesec does
not really control access but only allows it to be queried. (May be I
am wrong.)
No you are right we would need to supply agents that use Triplesec to do
this.
A real Access Control server should really take the control
of access to the resources it is protecting. The resource in case of a
URL Access Rule is a URL for example. An Access Control system should
be aware of or should be in contact with the resource it's protecting.
This can generally be provided by an agent installed on the resource
side without effecting the resource itself.
Sure.
Conditions may depend on the type of Rules or may be generic. For
example, you may specify the time period a resource is allowed to be
accessed.
I will not go on inlining my comments below because I think I have
changed the topic a little bit. If what I am talking is far different
from Triplesec's model or aims, we ca just ignore them. Or we may
merge the schemes as we're discussing.
No this is not on the topic :) but it is an important topic to have on
this ML about SUN's access manager terminology and how their stuff
works. This will help us build a better mouse trap. Perhaps you can
put these kinds of things on another thread.
Alex
begin:vcard
fn:Alex Karasulu
n:Karasulu;Alex
org:Apache Software Foundation;Apache Directory
adr:;;1005 N. Marsh Wind Way;Ponte Vedra ;FL;32082;USA
email;internet:[EMAIL PROTECTED]
title:Member, V.P.
tel;work:(904) 791-2766
tel;fax:(904) 808-4789
tel;home:(904) 808-4789
tel;cell:(904) 315-4901
note;quoted-printable:AIM: alexokarasulu=0D=0A=
MSN: [EMAIL PROTECTED]
Yahoo!: alexkarasulu=0D=0A=
IRC: aok=0D=0A=
PGP ID: 1024D/4E1370F8 BBCC E8D8 8756 2D51 C3D4 014A 3662 F96F 4E13 70F8=0D=0A=
x-mozilla-html:FALSE
url:http://people.apache.org/~akarasulu
version:2.1
end:vcard
