On Oct 27, 2007, at 4:09 PM, Alex Karasulu wrote:
David,
I divided the topic into separate threads so we can discuss each
part separately
in easy to read bite sized chunks. This way most of us, mainly me,
could respond to
comments within a reasonable amount of time. Divide and conquer!
OK, I definitely should have talked about this before I commented on
your proposed definitions. I think we should keep all the terms in a
proposed model in one email thread (e.g as I changed your posts to)
since the terms are very dependent on one another and unless all
parts of a proposed change are in one email we will not be able to
get a consistent view of such a proposed change. That's why I
combined them: I can't even keep your original model in my head
unless its on one "piece of paper". However if you insist I will
repost my comments as replies to your original emails. I think that
will result in much more confusion than keeping all the terms together.
These small chunks paraphrase concepts within NIST paper using
simple yet clear words
that many of us can relate to based on our experiences with
authorization without being
mathematicians.
OK, but as i tried to make clear in my comments I do not find all
your definitions clear and they are not the same as the model in the
NIST paper. I believe you suggested we should make our terms and
definitions as clear as possible so I think my pointing out where I
find your language unclear is entirely appropriate.
We can elevate the conversation to that level later however we will
loose some people in
the process. The idea is to engage as many people as possible with
simple clear descriptions.
Because we don't need to define things as a specification does to
have users give us good ideas
based on their experiences. We just need to use clear language.
That was the point, not to
reinvent the NIST terminology, but to state them in the IT vernacular.
There will be time for pulling out the material in the NIST paper
and discussing it's points
verbatim but first we need to discuss and identify the problem in
clear language without using
complex vocabulary on ideas that are mixed together across an email
taking 5 pages.
I don't think you considered why I initially used this format.
Perhaps you may consider
breaking down your thoughts into smaller pieces? Maybe you can
reply to my previous
posts instead of derailing those threads?
If you think that it is better to have shorter emails and no easy way
to construct a proposed modified model after comments to many of
those shorter emails, I'll be happy to take my comments apart into
the individual emails rather than the verbatim aggregation I used.
I'd like to mention why I like the NIST model: it's really easy for
me to figure out what it means. I can easily see how to implement
the data model in java, in a relational database, or even despite my
relative lack of familiarity with ldap, in an ldap schema. When I
think of operations involving the model, whether it be deciding if a
user can do something or changing their permissions or examining
permissions, its really easy to see how to do it. When I look at
stuff thats not directly from the NIST model everything gets
muddier. This applies to my descriptions of scope and denied
permissions and roles, and many of your proposed definitions. I feel
like if we don't start with the NIST model we will be wasting time
reinventing the wheel.
Alex
