>>>>> "Peter" == Peter Tribble <[email protected]> writes:
Peter> It's not even clear to me that assigning roles is the desired Peter> approach. Fundamentally, I think the choices are 1. permissions completely determined by role 2. permissions completely determined on a per-user basis 3. permissions determined by role plus some sort of exception list The website dev team is currently using approach 1. Approach 2 strikes me as additional administrative overhead for questionable gain. Approach 3 would be nice to have, but I'm having a hard time seeing this as a requirement for the initial deployment. From what I understand of the authentication and authorization architecture[1], it seems like this could be added later if we discover that we really need it. Peter> What matters is whether a user has the appropriate Peter> privilege to do a certain operation - which boils down to "can Peter> edit X" or "can commit code to Y". As a project or community Peter> owner, I expect to assign those rights to individuals - Peter> independently of some abstract role they might have. (Sometimes Peter> they'll match; sometimes they won't.) First, for code repos, write access can already be granted on a per repo/individual basis. For web pages, I don't expect there to be much divergence between rights and roles in practice. There might indeed be that sort of divergence today, but let's look at the two cases: a. user's role grants permissions that you don't want the user to have b. user's role doesn't grant permissions that you do want the user to have For a., XWiki will provide history and easy rollback (neither of which is provided with the current portal). If a user abuses his permissions, the damage can be easily undone. For cases of persistent abuse, the collective can revoke the user's permissions. For b., I'm having trouble thinking of an example that makes sense to me. If you've got someone regularly editing a set of pages, that person is acting as a Contributor. For occasional edits, any Participant can add a comment. mike Footnotes: [1] http://hub.opensolaris.org/bin/view/Main/XWikiAuthAppIntegration _______________________________________________ website-discuss mailing list [email protected]
