directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ole Ersoy <ole_er...@yahoo.com>
Subject Re: [Triplesec] Permissions, Roles and Groups
Date Thu, 25 Jan 2007 19:45:46 GMT


Permissions
===========
So would it be correct to say that a permission
is a Class with 3 properties:

String name;  //The name of the permission
URI resource;  //The resource/method/operation
Boolean access;  //Whether access is allowed

Groups
===========

Can we create a group of users and assign a role to
that group, thereby assigning the role to all the
users in that group?




--- Alex Karasulu <akarasulu@apache.org> wrote:

> Hello,
> 
> I would like to have a discussion on the meaning of
> these entities in 
> general and with respect to how they are modeled in
> Triplesec today in 
> the trunk:
> 
>    o Permissions
>    o Roles
>    o Groups
> 
> I've been talking to djencks about this stuff for a
> bit now as we have 
> started working together on various aspects of
> Triplesec.  I'd like to 
> have a general discussion about these concepts here
> so we can all be on 
> the same page with what they are.  Let me kick this
> off.
> 
> Permissions
> ===========
> 
> To me a permission is a right that is granted to
> access a resource or 
> perform some kind of protected operation.  To a
> large degree the 
> semantics of permissions are undefined except within
> a specific 
> application.  For example the permission to
> accessPayroll may not have 
> much meaning outside of an application dealing with
> payroll management.
> 
> In Triplesec (trunk) a permission is just a label
> without any meaning. 
> The semantics of the permission is left up to the
> application to define.
> 
> Roles
> =====
> 
> A Role is a collection of permissions associated
> together to represent 
> the rights need by one to perform the actions or
> activities of a 
> function.  For our purposes we can just say a role
> is a collection of 
> permissions.
> 
> As a collection of permissions which are application
> specific, roles 
> themselves become application specific.
> 
> In Triplesec (trunk) a role is just a collection of
> granted permissions 
> with a name.  Roles entries in Triplesec have a
> SINGLE-VALUED 'roleName' 
> and a MULTI-VALUED 'grants' attribute.  You just add
> the names of 
> permissions to a role entry to add them to the role.
> 
> Groups
> ======
> 
> Although you can group anything I think we're
> talking more about groups 
> of users in this context.  Groups are primarily used
> to make 
> administration tasks easier.  By grouping people and
> the can be managed 
> as a single group rather than performing the same
> upkeep operations on 
> all the members of the group.
> 
> In Triplesec a group is a static LDAP group
> (groupOfUniqueNames) or user 
> DNs right now.  We may expand this to include
> dynamic groups in the future.
> 
> Thoughts? Corrections?
> 
> Alex
> 
> > begin:vcard
> fn:Alex Karasulu
> n:Karasulu;Alex
> org:Apache Software Foundation;Apache Directory
> adr:;;1005 N. Marsh Wind Way;Ponte Vedra
> ;FL;32082;USA
> email;internet:akarasulu@apache.org
> title:Member, V.P.
> tel;work:(904) 791-2766
> tel;fax:(904) 808-4789
> tel;home:(904) 808-4789
> tel;cell:(904) 315-4901
> note;quoted-printable:AIM: alexokarasulu=0D=0A=
> 	MSN: aok123@bellsouth.net=0D=0A=
> 	Yahoo!: alexkarasulu=0D=0A=
> 	IRC: aok=0D=0A=
> 	PGP ID: 1024D/4E1370F8 BBCC E8D8 8756 2D51 C3D4
> 014A 3662 F96F 4E13 70F8=0D=0A=
> 	
> x-mozilla-html:FALSE
> url:http://people.apache.org/~akarasulu
> version:2.1
> end:vcard
> 
> 



 
____________________________________________________________________________________
Bored stiff? Loosen up... 
Download and play hundreds of games for free on Yahoo! Games.
http://games.yahoo.com/games/front

Mime
View raw message