On Tue, 26 Oct 1999 [EMAIL PROTECTED] wrote: > I'm working on an application with the following > requirements: > > - Each member of an organization creates a set of > records (i.e., Midgard topics and articles) that > he/she owns and controls. > > - Each member maintains a private list of other members > and grants members on this list (or member-defined groups > of members) read access to his/her records individually. > So each record may have a different list of members > with read permissions. When a member submits a request > for a set of records that meet some particular criteria, > the application would be assemble collections of records > from other members' records according to the requester's > access rights. The way I see ACL: access control can be granted for create, delete, modify and read for users, groups of users, and for specific record types for creator, revisor, owner, etc. Records with no ACL inherit the ACL of their nearest parent, with the ACL for the table being the root parent. There's the issue of ACL ownership: we can have ACLs for ACLs (but where does it end), or grant grant the right to change an ACL to all persons that have modify permissions on the resource (possibly by inherited ACL). In your example we could set up a topic tree that gives modify permission to 'creator', which would enable the creator of the topic/article to create/adapt the ACL for that specific resource to grant rights on it for specific purposes. <pondering>we may want to disable people from ungranting themselves modify permission, or one may end up with resources with empty ACLs (= unreachable for anyone but the root group).</pondering> Bye, Emile -- This is The Midgard Project's mailing list. For more information, please visit the project's web site at http://www.midgard-project.org To unsubscribe the list, send an empty email message to address [EMAIL PROTECTED]
