FWIW, has anyone checked out http://csrc.nist.gov/rbac/? Goodly collection of whitepapers and stuff on the topic.
<excerpt> One of the most challenging problems in managing large networked systems is the complexity of security administration. Today, security administration is costly and prone to error because administrators usually specify access control lists for each user on the system individually. Role based access control (RBAC) is a technology that is attracting increasing attention, particularly for commercial applications, because of its potential for reducing the complexity and cost of security administration in large networked applications. With RBAC, security is managed at a level that corresponds closely to the organization's structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role. Security administration with RBAC consists of determining the operations that must be executed by persons in particular jobs, and assigning employees to the proper roles. Complexities introduced by mutually exclusive roles or role hierarchies are handled by the RBAC software, making security administration easier. </excerpt> Regards, Kelvin ----- Original Message ----- From: Gonzalo A. Diethelm <[EMAIL PROTECTED]> To: Turbine Developers List <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, January 21, 2002 8:22 PM Subject: RE: First ideas for new security model > > Dan Diephouse, could you summarize your ideas in a stand-alone posting? > > We may be getting closer to a consensus, and it would be good to look > > again at what you propose in full. > > Also, I think it would be good to keep in mind that it is probably > a good idea that the design of the security system separates these > concerns: > > 1. Authentication (log-in, log-out, password admin?) > 2. Authorization (is this user allowed to do this) > 3. Profiling (user preferences) > 4. Administration (add, edit, remove users) > > > -- > Gonzalo A. Diethelm > [EMAIL PROTECTED] > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
