On Oct 24, 2007, at 10:29 AM, Alex Karasulu wrote:
Environments and Groups
-------------------------------------
When releases are ready for deployment, systems and applications
must be put into
some operating environment. Within any environment identities will
exist; some
will be users, some services and some will be specific hosts. These
principals for
the sake of manageability are often categorized together into
logical associations.
By grouping identities together, administrators can handle them as
a single entity
where the same set of tasks may apply to the group whatever those
management
operations may be.
Although groups are designed by administrators to simplify and
reduce their workload,
it's no coincidence that these groups are highly dependent on an
organization's structure
or the processes within an organization. General groups may exist
for the entire
organization. More specific groups will exist for the departments
of an organization.
When processes drive the creation of groups, membership is a based
on similar functions
required of a group's members. Sometimes processes are isolated to
a division, but more
often than not, processes span across divisions leading to the
creation of cross
divisional groups.
I think this says that there's a set of Users (or principals?) we
need to keep track of and that if there are more than a few users we
will want to treat lots of them the same way. Since we are
discussing authorization here I think this means that there are sets
of users we want to grant the same permissions with a single simple
operation.
We extract more glossary definitions:
Group:
A set of distinctly identifiable entities which are
categorically alike within an
organization, organizational unit or with respect to some
organizational process.
I'm not sure what this means beyond "a group is a set of users".
I'm sure everyone agrees that we need an easy way to take users who
need to do the same kind of stuff and treat them all in the same
way. Even though "groups" are in most or all existing systems I'm
not sure our model or our discussion needs a separate concept from
"roles" to handle them. To me it seems that conceptually when you
start with users and ask "who does the same kind of job" you think
"group" but when you start with permissions and ask "what permissions
do we need to group together to get a useful task done" you think
"role".
thanks
david jencks
