>There's a difference between authentication and authorization. Authentication
>refers to the act of making sure a user is who they say they are (examples are
>passwords, keys, SecureID, biometrics, ...). Authorization refers to what that
>user can do once they've been authenticated.
I was thinking that authentication and authorization where one in the same but I understand your distinction. The kind of authorization I was thinking about was not overly fine grained, certain users would be able to modify tags, certain users would be able to commit(I am aware of the readers and writers files) and so on. In particular I was interested in tagging but if we can come up with a common generic mechanism that will handle all of it I think the product will be better off.
>IMHO, the kind of authorization you're looking for can be handled by wrapper
>scripts (although you'll have to do some work parsing the input) or via taginfo
>scripts (a little better for what you're asking, but less general). I think a
>more elegant and general solution would be to have CVS handle command
>authorizations since they are highly tied to the tool (eg if one were using a
>wrapper script, one would have to keep up with any modifications to the existing
>set of CVS commands).
I've looked into using file permissions to handle this but the archives must be writable for the users to commit and the val-tags file is used in a different way than I first thought because of compatibility issues with old versions of cvs(according to comments in the code). I'm not fond of the wrapper-script idea because of our environment, geographically distributed PC clients with unix servers, I think it would be difficult to manage. The taginfo script will definitely work for what I was tying to do, I had not thought of that. The only drawback is that you end up with another authorization file "taggers" that needs to be maintained.
The only thing that comes to mind about how to implement this in a more generic sense would to modify the format of the passwd file. Fields would to have to be added that would control the different types of permissions. The main benefit of this would be a single point of administration which IMHO is a big usability point.
Tony
-----Original Message-----
[EMAIL PROTECTED] on 06/09/2000 07:43:50 AM
To: [EMAIL PROTECTED]
cc: (bcc: Noel L Yap)
Subject: Command level access control
I there any way to control access to certain CVS commands on a user by user
basis? We have been tightening the permissions on our repository and there
are certain users that should never be able to add a tag or at least change
an existing tag. Is this possible?
It would seem that this kind of control would go against recent threads on
this list about externalizing the authentication by requiring CVS to
understand more about users and permissions than it does now.
TIA
------------------------------------------------------
Tony Cleveland
Development Manager - MicroStation Schematics
Bentley Systems, Incorporated
voice: (301)926-0802 fax: (301)926-2313
email: [EMAIL PROTECTED]
------------------------------------------------------
