Hi David, Again I am condensing down the content removing things we agree on.
On 10/31/07, David Jencks <[EMAIL PROTECTED]> wrote: > > (2) A group does not have any security connotation associate with it's > definition. It's > merely an amalgamation. > > > <flame>In that case why are we talking about it in the context of an authz > manager?</flame> > I am not doing that yet. You are failing to divide and conquer by doing that yourself. This thread is about applications and groups. Look at my original definitions which no where mentions an authorization manager. That's the whole point. I intend to start discussing these in the context of an authorization manager later so we don't get tunnel vision and mix concepts together into on big heap. (3) Groups are often defined to reduce the amount of management overhead by > enabling > administrators to apply one operation to a group of N members, > instead of N > operations on each member. The drive to maximize this benefit over > time brings about > different kinds of groupings that naturally align with processes and > organizational structures. > (4) A group need not be homogeneous. > > > Not sure what you mean by this. > > I don't argue with any of this but don't see how it relates to whether > "group" is an appropriate concept for an RBAC discussion. I've never denied > that existing systems have groups defined in them and we have to work with > these existing systems. Just because data is stored in something called a > "group" doesn't, to me, mean we need to call it a group in our model or > code. > Well this is where I feel we have a complete disconnect. Yes we can call a group a role and mix concepts together. This IMO is poor design. Define the entities you wish to model. Then start modeling them. The point is a group exists and to 99% of the developers, users, and policy makers out there it is not equivalent to a role. I don't want to code or maintain this and have to contort my mind to translate a natural representation into this model. The translation costs extra energy. The number of thoughts that can go through anyones mind in a day is finite. Say we have a slew of users, contributors, and committers and so now integrate that wasted effort over 99%. That amounts to a lot of collective energy wasted to conform to this model you propose. Alex
