> -----Original Message----- > From: Eric Pugh [mailto:[EMAIL PROTECTED] > Sent: Monday, August 25, 2003 5:38 PM > To: 'Turbine Developers List' > Subject: RE: [Fulcrum] Security Service Thoughts > > > Great email! Thanks.. > > So, let me spit it back to you and see if I understand it. > And if you can > come up with a better name, I would be very happy!
This is kind of difficult. I remember somebody had suggested "domain". "division" or "section" could work since the role is assigned to a part of the system. Some of the examples in the doc suggested "project" but it is too specific and the concept should be more general. "object" or "entity" are already overused. I think "domain" is the best option we have so far. > > So, for the first example the logical entities are: > Our Groups are: > Global > Pet > Clothes > > Our Roles are > Manager > > Users > Pedro > Luis > Salma > Lupita > > And our intersection relation ship is: > pedro manager clothes > luis manager pets > Lupita manager pets > Lupita manager clothes > Salma manager global > > Now, does salma, since she is a manager in global mean that > she is a manager > in pets and clothes? How is this modelled? Is the global The global group is a convention. When you program your screens or actions within the isAuthorized() method, you know that if it has a role in the global group it means that it has the role in all the groups. It is also usefull for things that are not divided in groups. For example, in a case where you don't have departaments, branches, sections, or anything. When you assign a role, the role is global, that means that it applies to everything. Also when you ask if a user has a role or a permission and you don't specify the group, Turbine looks in the global group. > group mentioned > mean that if you have a role in that group, you have that role in all > groups? Yes > But without actually having a dynamic group to group > relationship? ?? > And do permissions come into it at all? Yes, when a role is assigned within a group the corresponding permissions are also assigned. And you can ask the ACL if a user has a permission within a group. > > > > I guess, if I where to do this using the simple model I would have: > Groups > Pet > Clothes > > Roles > Manager > > Users > Pedro > Luis > Salma > Lupita > > And the intersection relation ship would be > User to Group > pedro ClothesManagers > luis PetsManagers > salma ClothesManagers > salma PetsManagers > salma ClothesManagers > salma PetsManagers > > All of these groups would have a Manager role assinged to them. > > So the main difference is that in the "turbine" model you > have to pick both > the group and role they play in that group. Whereas in the > "simple" model, > you pick the group, and that determines all of the roles that > the user has. Do you still see a need for an alternate model? I rather fix the confusing "group" name and focus on decoupling Torque from the security service. > > Eric Pugh > > > > -----Original Message----- > > From: Humberto Hernandez Torres [mailto:[EMAIL PROTECTED] > > Sent: Monday, August 25, 2003 11:34 PM > > To: Turbine Developers List > > Subject: RE: [Fulcrum] Security Service Thoughts > > > > > > Hi Eric > > > > > > > > On a somewhat seperate note, what are the reason's behind the > > > "turbine" > > > models intersection of user/group/role? I just don't quite > > > > The user, group, role model is actually (IMHO) pretty > > flexible. I have used > > in several project and it seems to fit many situations. And > I am sure > > it fits in the simple model that you ned to solve. > > However, We probably need to change the group because it is > > an unfortunate > > name. And > > it frecuently missunderstood. > > The idea is that every user has a role within a group. > > Examples that I've seen in real life: > > - You can have a catalog of products, but every departamente > > is managed > > by a differente person. Luis has the role manager whitin the pet > > departament. > > Pedro has the role manager within the clothes departament. Lupita > > is a manager in clothes and pets. Salma is the manager in all the > > departaments (global). > > > > - One company has many branch offices. Within each branch > > officer, you have > > a general manager, > > a sales manager, a purchase manager. In this case you have > > one group for > > each > > branch. > > > > - One site has several sections. One person is an editor in > > section one and > > a reviewer in section > > two. Another person is editor in all sections. In this case > > you have one > > group for each > > section. > > > > Basically, the group has a meaning that fits your needs. It > > is NOT a group > > of users as > > it is in Unix. > > > > > grok why it > > > works that way. Also, the torque code ONLY compiles. I don't use > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
