Hi guys,
multi-role or multi-person approval is a difficult theme and often mixed with signatures on data. I do not discuss here signatures because signatures have nothing to do with the approval itself. I discuss this more in detail in another mail (the third one ;) ).
The problem with the multi approval (this is the name in the following for both types - multi person and multi role) is that we need a lot of detailed knowledge about the parameters of the function. This knowledge is already present in our access control. The access control knows how to get the owner, or better is there an owner role and how to get the operation (if it is mapped).
After the access control we have all the knowledge to start the evaluation. We only need the configuration:
- function/operation
- owner role (if the function have an owner role)
- needed roles/persons
All these informations except of the needed roles/persons are already included in the access control confgiuration. So my question is now how about extending the ACL?
We can replace the the actual role tag by several role tags.
<role>(RA Operator|CA Operator)</role> <role>(RA Operator|CA Operator)</role>
This configuration would require that two CA or RA operators agree to execute the function. We can still implement the voter as an extension of the AC module (e.g. OpenCA::AC::Voter). The voter checks directly as part of the access control what to and then it allows the function or stores the function plus the serialized data in a table of the database. This must be designed more in detail of course but first we have to agree about the idea - not the details.
Comments ...?
Michael -- _______________________________________________________________
Michael Bell Humboldt-Universitaet zu Berlin
Tel.: +49 (0)30-2093 2482 ZE Computer- und Medienservice Fax: +49 (0)30-2093 2704 Unter den Linden 6 [EMAIL PROTECTED] D-10099 Berlin _______________________________________________________________
smime.p7s
Description: S/MIME Cryptographic Signature
