> On Jan 28, 2016, at 8:50 AM, Chris Pike <[email protected]> wrote: > > Every application could define several permission attributes, and since we > plan on using this for many applications, it could become a large list. > > Our paradigm of use might be a slightly different than yours, so please > correct me if I'm wrong, but is it fair to say we are mostly worried about > adding extra read operations on the access manager operations not to the > review and admin manager calls? Regardless of where the ftPA information is > stored, it shouldn't affect access manager other than access manager reading > the additional ftRC and ftPA attribute values. I don't think the > sessionPermissions check would need to read the ftPA reference object. > > Also, couldn't the ftPAs be cached regardless of where they are stored?
Correct, we must avoid adding extra ldap ops to the accessmgr apis. But we also must be careful, reviewmgr methods are sometimes called during policy enforcement too. Caching the entry is an option. But I may have lost the forest from the trees. Can you (re)outline the approach, which apis to change, and how they must be changed according to where you are right now? (If this gets tedious we can hop on IRC channel to discuss.) Shawn
