Doug Chestnut wrote:
Andreas Hartmann wrote:
Michael Ralston wrote:
OK, IIUC you want to cut the inheritance at child level, not at
parent level. But what if you want to cut the inheritance only for
a certain user/group?
breaking inheritance at a certain child means that it has no policies
at all. therefore if you wanted to inherit only some permissions they
would have to be regranted on the child. eg...
OK, that's what I thought. IMO it is not very convenient, because you
have to duplicate the knowledge, and have to update the child when the
parent permissions change.
Couldn't this "remove all" inherited permissions be done with a "remove
all" button on the ac page? Then if you want to add the permission
(role / user|group|ip paring) back just uncheck the remove checkbox next
to the permission.
The problem is that the permissions are set on an ancestor document, and
might change. If you want to stop the inheritance at a child, you have to
a) reference the ancestor permission
b) duplicate the permission
IMO both options are not very practicable.
I'd prefer a "grant" vs. "deny" permission model, e.g.
/website
grant: world -> visit
/website/myspace
deny: world -> visit
grant: andreas -> visit, edit
/website/myspace/pulicstuff
grant: world -> visit
To resolve the actual permission, you just go up the tree and
look for the first match. E.g. at /website/myspace:
- john: first match: "deny: world -> visit"
- andreas: first match: "grant: andreas -> visit, edit"
The drawback is that the order of the permission entries is very
important. For instance, if I would change the order of the
/website/myspace entries, I wouldn't be allowed to visit the page,
because "deny: world -> visit" would become the first match.
-- Andreas
[...]
I do see the merits of the revoke system over the inheritance off
system. Is it possible (or useful) to have both systems together?
I guess this would be possible, but the user interface might become
quite complex.
>
Would it be worth doing some research into how various operating
systems handle this task? Rather than reinvent the wheel we could
model the lenya access controls on how an existing proven system
works, eg posix acl, or windows xp security dialogs.
I guess this makes sense, but I could imagine that repositories
like JCR are more appropriate than OSs. Feel free to come up with a
proposal!
-- Andreas
--
Andreas Hartmann
Wyona Inc. - Open Source Content Management - Apache Lenya
http://www.wyona.com http://lenya.apache.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
