Alex - I sent this before I saw the Hierarchical role stuff...so we could just scratch it...
--- Ole Ersoy <[EMAIL PROTECTED]> wrote: > Permissions > =========== > > Ah - Gotcha - If the Permission is present, then > access is automatically true. Makes sense. > > Groups > =========== > > Hmmm - trying to get the profiles part... > > I think you are saying it's an efficient way of > doing > this: > > Suppose I want to know if > > "Ole" > > has access to > > "http://some.typical.resource.watteva"; > > So I pass "Ole" and > "http://some.typical.resource.watteva"; > > to triplesec. > > triplesec first checks some indexed structure > if "Ole" is allowed to get > "http://some.typical.resource.watteva"; > > But can't find Ole. > > So, > Triplesec finds groups that "Ole" belongs > to in some other indexed structure. > > Then triplesec retrieves roles assigned to the > groups. > Then searches through the rolse for a permission > containing, > "http://some.typical.resource.watteva";? > > Cheers, > - Ole > > > > --- Alex Karasulu <[EMAIL PROTECTED]> wrote: > > > Ole Ersoy wrote: > > > > > > Permissions > > > =========== > > > So would it be correct to say that a permission > > > is a Class with 3 properties: > > > > > > String name; //The name of the permission > > > URI resource; //The resource/method/operation > > > Boolean access; //Whether access is allowed > > > > Hmm I don't think I agree. The boolean parameter > is > > not necessary in my > > mind. In general I like simpler systems where you > > either have a > > permission to do something or you don't have > access > > at all. I don't > > like the idea of positive and negative > permissions. > > IMHO they make > > things more complex. > > > > This is one of my issues with Java security and > it's > > implies method. > > > > > > > > Groups > > > =========== > > > > > > Can we create a group of users and assign a role > > to > > > that group, thereby assigning the role to all > the > > > users in that group? > > > > Yes effectively you can achieve this result > however > > you would not add > > the role directly to the group. At least I don't > > recommend this. The > > best way IMO to model this in LDAP would be to > have > > a profile for the > > group. This is kind of like a link table. > > > > But essentially the answer is yes. > > > > Alex > > > > > --- Alex Karasulu <[EMAIL PROTECTED]> wrote: > > > > > >> Hello, > > >> > > >> I would like to have a discussion on the > meaning > > of > > >> these entities in > > >> general and with respect to how they are > modeled > > in > > >> Triplesec today in > > >> the trunk: > > >> > > >> o Permissions > > >> o Roles > > >> o Groups > > >> > > >> I've been talking to djencks about this stuff > for > > a > > >> bit now as we have > > >> started working together on various aspects of > > >> Triplesec. I'd like to > > >> have a general discussion about these concepts > > here > > >> so we can all be on > > >> the same page with what they are. Let me kick > > this > > >> off. > > >> > > >> Permissions > > >> =========== > > >> > > >> To me a permission is a right that is granted > to > > >> access a resource or > > >> perform some kind of protected operation. To a > > >> large degree the > > >> semantics of permissions are undefined except > > within > > >> a specific > > >> application. For example the permission to > > >> accessPayroll may not have > > >> much meaning outside of an application dealing > > with > > >> payroll management. > > >> > > >> In Triplesec (trunk) a permission is just a > label > > >> without any meaning. > > >> The semantics of the permission is left up to > the > > >> application to define. > > >> > > >> Roles > > >> ===== > > >> > > >> A Role is a collection of permissions > associated > > >> together to represent > > >> the rights need by one to perform the actions > or > > >> activities of a > > >> function. For our purposes we can just say a > > role > > >> is a collection of > > >> permissions. > > >> > > >> As a collection of permissions which are > > application > > >> specific, roles > > >> themselves become application specific. > > >> > > >> In Triplesec (trunk) a role is just a > collection > > of > > >> granted permissions > > >> with a name. Roles entries in Triplesec have a > > >> SINGLE-VALUED 'roleName' > > >> and a MULTI-VALUED 'grants' attribute. You > just > > add > > >> the names of > > >> permissions to a role entry to add them to the > > role. > > >> > > >> Groups > > >> ====== > > >> > > >> Although you can group anything I think we're > > >> talking more about groups > > >> of users in this context. Groups are primarily > > used > > >> to make > > >> administration tasks easier. By grouping > people > > and > === message truncated === ____________________________________________________________________________________ Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail beta. http://new.mail.yahoo.com
