On Oct 27, 2007, at 5:46 PM, Ole Ersoy wrote:
Hey Guys,
Seen tons of good material from both Alex and David so far, and I
think I'm getting what Triplesec is supposed to do in general. I
wonder if it might help to state use cases / concrete examples?
Here's a quick example:
Use Case / Use Example
---------------------------------------------------
Allow user Joe read access to file below /home/commons/
on host 192.168.1.64
---------------------------------------------------
I think this would allow people on the list to say "Yeah - If I
could centrally store the rule that Joe should be allowed to read
everything under /home/commons on 192.168.1.64 that would be really
valuable." Also people would be able to focus in on the example
and ask more questions about it, and each mail thread would be
focus on each use case.
Then we could keep enumerating all the scenarios until everything
is covered like:
Use Case
---------------------------------------------------
Allow user Joe write access to files below /home/commons/only-joe/
on host 192.168.1.64
---------------------------------------------------
Use Case
---------------------------------------------------
Allow user Apache read access to files below /var/www/html/
on host 192.168.1.64
---------------------------------------------------
(The above are the same use cases / examples. I personally get the
"Aha!" feeling quicker with lots of examples with minor variations,
such as as this with one with user being a human user in the first
case and a daemon in the second...).
Use Case
---------------------------------------------------
Create a Role JoeRole
---------------------------------------------------
Use Case
---------------------------------------------------
Assign User Joe to JoeRole
---------------------------------------------------
etc
These use cases could be put in separate thread so that so that
each could be discussed separately from everything else. In this
last case, people might ask "How would I define Joe
Programatically?", "Why would I assign Joe to JoeRole?" or "What if
I wanted to assign JoeRole to JoeDaddyRole?", "Who's your Daddy?",
etc.
Anyways, just an idea. I'm off vacation for seven days, so sorry
if I don't get a chance to respond right away, if anyone comments
on this.
This might be a good idea although I'm afraid of the number of use
cases we will find. I think the ones I'm most interested in (or at
least the ones I can think of quickly) are:
1. I'm an app server, and we've authenticated the user. The user is
trying to access some part of an application. Should I let them?
2. I'm a security admin, and we just hired joe. I need to enter his
info into the system and make it so he has the permissions he needs
to do his job, and no other permissions.
3. I'm a security admin, and we just got a new program. I need to
make it so the people who need to use the program have the
permissions to do so, and no one else does.
4. I'm the administrator of a dynamic content application such as a
portal, and we just added content. I need to assign permissions so
the people who need to see it can and no one else does.
5. I'm the triplesec contractor, and I need to install triplesec in
this system with thousands of existing users, hundreds of
applications, and thousands of permissions. I need to set up
triplesec to work with the existing data.
Just as I'm scared of being able to understand a model spread across
5 email threads, I'm scared of trying to understand use cases spread
through many threads. We'll see :-)
thanks
david jencks
Cheers,
- Ole
