Thanks for your speedy reply. I need some time to experiment with what you just said and to digest it a little. I'll let your know how it goes. You are true expert in this field of Authn and Authz, thank you so much for your help once again.
On Mar 14, 12:06 am, Michael Merickel <[email protected]> wrote: > On Tue, Mar 13, 2012 at 11:52 PM, Mark <[email protected]> wrote: > > 1. Does the above scenario mean that EVERY time a brand is created in > > the system, I would have to generate for instance, "b1_create", > > "b1_read" .... "b1_delete", "b2_create", "b2_read", "b2_update" ... > > "b4_delete" permissions? > > The way I would approach the problem is to have a "create", "read" and > "delete" permissions. When accessing a context of type B, it would then > supply an __acl__ which is dynamically generated based on its origins. For > example: > > @property > def __acl__(self): > return [ > (Allow, 'editor', ('read', 'update')), > (Allow, 'origin:' + self.origin, 'delete'), > ] > > With this, the object of type B has told us "who" is allowed to delete it. > Now when Timothy accesses the system, it would be the responsibility of the > authentication policy via the groupfinder to return a list of principals > for Timothy. For example, Timothy is from france, so you would add the > 'origin:france' principal, and he is an editor so you would add the > 'editor' principal. Now when the auth system compares B's acl to timothy's > principals, he will only have the delete permission if one of his > principals matches up with one of the ACE's providing delete. > > > Another example would be something like: > > > An agent of a company can make orders. However, he should only be > > able to select the products (this means read permission right?) from > > his country. If he is an agent of France, he can only make orders of > > products that are only for France, not those in Germany or Holland. > > How would the ACL for this work....? > > Again, look at it from the perspective of the context (the object of > interest). That object (the product) should provide an ACL that tells the > auth system what principals are allowed to use it. For example the product > returns (Allow, 'agent_of_'+self.origin, 'read') where self is a product. > The auth system then compares these acls with the principals returned by > the authentication policy. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
