directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <>
Subject [Triplesec] Permissions, Roles and Groups
Date Thu, 25 Jan 2007 19:02:06 GMT

I would like to have a discussion on the meaning of these entities in 
general and with respect to how they are modeled in Triplesec today in 
the trunk:

   o Permissions
   o Roles
   o Groups

I've been talking to djencks about this stuff for a bit now as we have 
started working together on various aspects of Triplesec.  I'd like to 
have a general discussion about these concepts here so we can all be on 
the same page with what they are.  Let me kick this off.


To me a permission is a right that is granted to access a resource or 
perform some kind of protected operation.  To a large degree the 
semantics of permissions are undefined except within a specific 
application.  For example the permission to accessPayroll may not have 
much meaning outside of an application dealing with payroll management.

In Triplesec (trunk) a permission is just a label without any meaning. 
The semantics of the permission is left up to the application to define.


A Role is a collection of permissions associated together to represent 
the rights need by one to perform the actions or activities of a 
function.  For our purposes we can just say a role is a collection of 

As a collection of permissions which are application specific, roles 
themselves become application specific.

In Triplesec (trunk) a role is just a collection of granted permissions 
with a name.  Roles entries in Triplesec have a SINGLE-VALUED 'roleName' 
and a MULTI-VALUED 'grants' attribute.  You just add the names of 
permissions to a role entry to add them to the role.


Although you can group anything I think we're talking more about groups 
of users in this context.  Groups are primarily used to make 
administration tasks easier.  By grouping people and the can be managed 
as a single group rather than performing the same upkeep operations on 
all the members of the group.

In Triplesec a group is a static LDAP group (groupOfUniqueNames) or user 
DNs right now.  We may expand this to include dynamic groups in the future.

Thoughts? Corrections?


View raw message