directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <akaras...@apache.org>
Subject Re: [Triplesec] Permissions, Roles and Groups
Date Thu, 25 Jan 2007 20:44:01 GMT
Ole Ersoy wrote:
> 
> Permissions
> ===========
> So would it be correct to say that a permission
> is a Class with 3 properties:
> 
> String name;  //The name of the permission
> URI resource;  //The resource/method/operation
> Boolean access;  //Whether access is allowed

Hmm I don't think I agree.  The boolean parameter is not necessary in my 
mind.  In general I like simpler systems where you either have a 
permission to do something or you don't have access at all.  I don't 
like the idea of positive and negative permissions.  IMHO they make 
things more complex.

This is one of my issues with Java security and it's implies method.

> 
> Groups
> ===========
> 
> Can we create a group of users and assign a role to
> that group, thereby assigning the role to all the
> users in that group?

Yes effectively you can achieve this result however you would not add 
the role directly to the group.  At least I don't recommend this.  The 
best way IMO to model this in LDAP would be to have a profile for the 
group.  This is kind of like a link table.

But essentially the answer is yes.

Alex

> --- Alex Karasulu <akarasulu@apache.org> wrote:
> 
>> Hello,
>>
>> I would like to have a discussion on the meaning of
>> these entities in 
>> general and with respect to how they are modeled in
>> Triplesec today in 
>> the trunk:
>>
>>    o Permissions
>>    o Roles
>>    o Groups
>>
>> I've been talking to djencks about this stuff for a
>> bit now as we have 
>> started working together on various aspects of
>> Triplesec.  I'd like to 
>> have a general discussion about these concepts here
>> so we can all be on 
>> the same page with what they are.  Let me kick this
>> off.
>>
>> Permissions
>> ===========
>>
>> To me a permission is a right that is granted to
>> access a resource or 
>> perform some kind of protected operation.  To a
>> large degree the 
>> semantics of permissions are undefined except within
>> a specific 
>> application.  For example the permission to
>> accessPayroll may not have 
>> much meaning outside of an application dealing with
>> payroll management.
>>
>> In Triplesec (trunk) a permission is just a label
>> without any meaning. 
>> The semantics of the permission is left up to the
>> application to define.
>>
>> Roles
>> =====
>>
>> A Role is a collection of permissions associated
>> together to represent 
>> the rights need by one to perform the actions or
>> activities of a 
>> function.  For our purposes we can just say a role
>> is a collection of 
>> permissions.
>>
>> As a collection of permissions which are application
>> specific, roles 
>> themselves become application specific.
>>
>> In Triplesec (trunk) a role is just a collection of
>> granted permissions 
>> with a name.  Roles entries in Triplesec have a
>> SINGLE-VALUED 'roleName' 
>> and a MULTI-VALUED 'grants' attribute.  You just add
>> the names of 
>> permissions to a role entry to add them to the role.
>>
>> Groups
>> ======
>>
>> Although you can group anything I think we're
>> talking more about groups 
>> of users in this context.  Groups are primarily used
>> to make 
>> administration tasks easier.  By grouping people and
>> the can be managed 
>> as a single group rather than performing the same
>> upkeep operations on 
>> all the members of the group.
>>
>> In Triplesec a group is a static LDAP group
>> (groupOfUniqueNames) or user 
>> DNs right now.  We may expand this to include
>> dynamic groups in the future.
>>
>> Thoughts? Corrections?
>>
>> Alex
>>
>>> begin:vcard
>> fn:Alex Karasulu
>> n:Karasulu;Alex
>> org:Apache Software Foundation;Apache Directory
>> adr:;;1005 N. Marsh Wind Way;Ponte Vedra
>> ;FL;32082;USA
>> email;internet:akarasulu@apache.org
>> title:Member, V.P.
>> tel;work:(904) 791-2766
>> tel;fax:(904) 808-4789
>> tel;home:(904) 808-4789
>> tel;cell:(904) 315-4901
>> note;quoted-printable:AIM: alexokarasulu=0D=0A=
>> 	MSN: aok123@bellsouth.net=0D=0A=
>> 	Yahoo!: alexkarasulu=0D=0A=
>> 	IRC: aok=0D=0A=
>> 	PGP ID: 1024D/4E1370F8 BBCC E8D8 8756 2D51 C3D4
>> 014A 3662 F96F 4E13 70F8=0D=0A=
>> 	
>> x-mozilla-html:FALSE
>> url:http://people.apache.org/~akarasulu
>> version:2.1
>> end:vcard
>>
>>
> 
> 
> 
>  
> ____________________________________________________________________________________
> Bored stiff? Loosen up... 
> Download and play hundreds of games for free on Yahoo! Games.
> http://games.yahoo.com/games/front
> 


Mime
View raw message