directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stephane Bailliez <sbaill...@gmail.com>
Subject Re: [Triplesec] Permissions, Roles and Groups
Date Tue, 30 Jan 2007 14:16:36 GMT


Ersin Er wrote:
>> > These can be extended to the following entities:
>> >
>> > Policies
>> >  Subjects
>> >  Rules
>> >  Conditions
>>
>> Where is this from? Is this SUN's commercialized names for things they
>> have in their access control manager?
> 
> Well, these are not only SUN's terminology but generic entity
> descriptors that needs to be provided by a powerful access control
> system.
> 
> What we call Users and Roles in Triplesec can be extended to the term 
> Subject.
> 
> We don't have anything like Rules, although we must have. We just use
> abstract strings as David said. But this is not for controlling access
> but for storing abstract permission information.
> 
> And Conditions are still a required property. Beyond selecting the
> subjects and resources, we may need to satisfy more conditions like
> Authentication Level, IP Address, LDAP Filter, Time etc.
> 
> These all are also proposed by NIST spec and XACML.

Good point.

A permission could indeed be temporal or subject to other bizrules.


-- stephane


Mime
View raw message