Andreas Hartmann wrote:
Doug Chestnut wrote:
Andreas Hartmann wrote:
Michael Ralston wrote:
OK, IIUC you want to cut the inheritance at child level, not at
parent level. But what if you want to cut the inheritance only for
a certain user/group?
breaking inheritance at a certain child means that it has no
policies at all. therefore if you wanted to inherit only some
permissions they would have to be regranted on the child. eg...
OK, that's what I thought. IMO it is not very convenient, because you
have to duplicate the knowledge, and have to update the child when the
parent permissions change.
Couldn't this "remove all" inherited permissions be done with a
"remove all" button on the ac page? Then if you want to add the
permission (role / user|group|ip paring) back just uncheck the remove
checkbox next to the permission.
The problem is that the permissions are set on an ancestor document, and
might change. If you want to stop the inheritance at a child, you have to
a) reference the ancestor permission
b) duplicate the permission
IMO both options are not very practicable.
I'd prefer a "grant" vs. "deny" permission model, e.g.
/website
grant: world -> visit
/website/myspace
deny: world -> visit
grant: andreas -> visit, edit
/website/myspace/pulicstuff
grant: world -> visit
Ahh, Thanks for the example.
would inheritance be handled like so:
/website
*resolve inherited permissions
grant: world -> visit
/website/myspace
*resolve inherited permissions
deny: world -> visit
grant: andreas -> visit, edit
/website/myspace/pulicstuff
*resolve inherited permissions
grant: world -> visit
/website/myspace/publicstuff/morestuff
*resolve inherited permissions
So the world would be able to visit morestuff, right?
To resolve the actual permission, you just go up the tree and
look for the first match. E.g. at /website/myspace:
- john: first match: "deny: world -> visit"
- andreas: first match: "grant: andreas -> visit, edit"
The drawback is that the order of the permission entries is very
important. For instance, if I would change the order of the
/website/myspace entries, I wouldn't be allowed to visit the page,
because "deny: world -> visit" would become the first match.
Ok, I understand this. Thanks for the explanation.
-- Andreas
[...]
I do see the merits of the revoke system over the inheritance off
system. Is it possible (or useful) to have both systems together?
I guess this would be possible, but the user interface might become
quite complex.
>
Would it be worth doing some research into how various operating
systems handle this task? Rather than reinvent the wheel we could
model the lenya access controls on how an existing proven system
works, eg posix acl, or windows xp security dialogs.
I guess this makes sense, but I could imagine that repositories
like JCR are more appropriate than OSs. Feel free to come up with a
proposal!
-- Andreas
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
