Ole Ersoy wrote:
Permissions
===========
So would it be correct to say that a permission
is a Class with 3 properties:
String name; //The name of the permission
URI resource; //The resource/method/operation
Boolean access; //Whether access is allowed
Hmm I don't think I agree. The boolean parameter is not necessary in my
mind. In general I like simpler systems where you either have a
permission to do something or you don't have access at all. I don't
like the idea of positive and negative permissions. IMHO they make
things more complex.
This is one of my issues with Java security and it's implies method.
Groups
===========
Can we create a group of users and assign a role to
that group, thereby assigning the role to all the
users in that group?
Yes effectively you can achieve this result however you would not add
the role directly to the group. At least I don't recommend this. The
best way IMO to model this in LDAP would be to have a profile for the
group. This is kind of like a link table.
But essentially the answer is yes.
Alex
--- Alex Karasulu <[EMAIL PROTECTED]> wrote:
Hello,
I would like to have a discussion on the meaning of
these entities in
general and with respect to how they are modeled in
Triplesec today in
the trunk:
o Permissions
o Roles
o Groups
I've been talking to djencks about this stuff for a
bit now as we have
started working together on various aspects of
Triplesec. I'd like to
have a general discussion about these concepts here
so we can all be on
the same page with what they are. Let me kick this
off.
Permissions
===========
To me a permission is a right that is granted to
access a resource or
perform some kind of protected operation. To a
large degree the
semantics of permissions are undefined except within
a specific
application. For example the permission to
accessPayroll may not have
much meaning outside of an application dealing with
payroll management.
In Triplesec (trunk) a permission is just a label
without any meaning.
The semantics of the permission is left up to the
application to define.
Roles
=====
A Role is a collection of permissions associated
together to represent
the rights need by one to perform the actions or
activities of a
function. For our purposes we can just say a role
is a collection of
permissions.
As a collection of permissions which are application
specific, roles
themselves become application specific.
In Triplesec (trunk) a role is just a collection of
granted permissions
with a name. Roles entries in Triplesec have a
SINGLE-VALUED 'roleName'
and a MULTI-VALUED 'grants' attribute. You just add
the names of
permissions to a role entry to add them to the role.
Groups
======
Although you can group anything I think we're
talking more about groups
of users in this context. Groups are primarily used
to make
administration tasks easier. By grouping people and
the can be managed
as a single group rather than performing the same
upkeep operations on
all the members of the group.
In Triplesec a group is a static LDAP group
(groupOfUniqueNames) or user
DNs right now. We may expand this to include
dynamic groups in the future.
Thoughts? Corrections?
Alex
begin:vcard
fn:Alex Karasulu
n:Karasulu;Alex
org:Apache Software Foundation;Apache Directory
adr:;;1005 N. Marsh Wind Way;Ponte Vedra
;FL;32082;USA
email;internet:[EMAIL PROTECTED]
title:Member, V.P.
tel;work:(904) 791-2766
tel;fax:(904) 808-4789
tel;home:(904) 808-4789
tel;cell:(904) 315-4901
note;quoted-printable:AIM: alexokarasulu=0D=0A=
MSN: [EMAIL PROTECTED]
Yahoo!: alexkarasulu=0D=0A=
IRC: aok=0D=0A=
PGP ID: 1024D/4E1370F8 BBCC E8D8 8756 2D51 C3D4
014A 3662 F96F 4E13 70F8=0D=0A=
x-mozilla-html:FALSE
url:http://people.apache.org/~akarasulu
version:2.1
end:vcard
____________________________________________________________________________________
Bored stiff? Loosen up...
Download and play hundreds of games for free on Yahoo! Games.
http://games.yahoo.com/games/front
begin:vcard
fn:Alex Karasulu
n:Karasulu;Alex
org:Apache Software Foundation;Apache Directory
adr:;;1005 N. Marsh Wind Way;Ponte Vedra ;FL;32082;USA
email;internet:[EMAIL PROTECTED]
title:Member, V.P.
tel;work:(904) 791-2766
tel;fax:(904) 808-4789
tel;home:(904) 808-4789
tel;cell:(904) 315-4901
note;quoted-printable:AIM: alexokarasulu=0D=0A=
MSN: [EMAIL PROTECTED]
Yahoo!: alexkarasulu=0D=0A=
IRC: aok=0D=0A=
PGP ID: 1024D/4E1370F8 BBCC E8D8 8756 2D51 C3D4 014A 3662 F96F 4E13 70F8=0D=0A=
x-mozilla-html:FALSE
url:http://people.apache.org/~akarasulu
version:2.1
end:vcard
