directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ole Ersoy <ole_er...@yahoo.com>
Subject Re: [Triplesec] Permissions, Roles and Groups
Date Thu, 25 Jan 2007 23:28:56 GMT
Permissions
===========

Ah - Gotcha - If the Permission is present, then
access is automatically true.  Makes sense.

Groups
===========

Hmmm - trying to get the profiles part...

I think you are saying it's an efficient way of doing
this:

Suppose I want to know if 

"Ole"

has access to 

"http://some.typical.resource.watteva"

So I pass "Ole" and
"http://some.typical.resource.watteva"

to triplesec.

triplesec first checks some indexed structure
if "Ole" is allowed to get
"http://some.typical.resource.watteva"

But can't find Ole.

So,
Triplesec finds groups that "Ole" belongs
to in some other indexed structure.

Then triplesec retrieves roles assigned to the groups.
Then searches through the rolse for a permission
containing, 
"http://some.typical.resource.watteva"?

Cheers,
- Ole



--- Alex Karasulu <akarasulu@apache.org> wrote:

> Ole Ersoy wrote:
> > 
> > Permissions
> > ===========
> > So would it be correct to say that a permission
> > is a Class with 3 properties:
> > 
> > String name;  //The name of the permission
> > URI resource;  //The resource/method/operation
> > Boolean access;  //Whether access is allowed
> 
> Hmm I don't think I agree.  The boolean parameter is
> not necessary in my 
> mind.  In general I like simpler systems where you
> either have a 
> permission to do something or you don't have access
> at all.  I don't 
> like the idea of positive and negative permissions. 
> IMHO they make 
> things more complex.
> 
> This is one of my issues with Java security and it's
> implies method.
> 
> > 
> > Groups
> > ===========
> > 
> > Can we create a group of users and assign a role
> to
> > that group, thereby assigning the role to all the
> > users in that group?
> 
> Yes effectively you can achieve this result however
> you would not add 
> the role directly to the group.  At least I don't
> recommend this.  The 
> best way IMO to model this in LDAP would be to have
> a profile for the 
> group.  This is kind of like a link table.
> 
> But essentially the answer is yes.
> 
> Alex
> 
> > --- Alex Karasulu <akarasulu@apache.org> wrote:
> > 
> >> Hello,
> >>
> >> I would like to have a discussion on the meaning
> of
> >> these entities in 
> >> general and with respect to how they are modeled
> in
> >> Triplesec today in 
> >> the trunk:
> >>
> >>    o Permissions
> >>    o Roles
> >>    o Groups
> >>
> >> I've been talking to djencks about this stuff for
> a
> >> bit now as we have 
> >> started working together on various aspects of
> >> Triplesec.  I'd like to 
> >> have a general discussion about these concepts
> here
> >> so we can all be on 
> >> the same page with what they are.  Let me kick
> this
> >> off.
> >>
> >> Permissions
> >> ===========
> >>
> >> To me a permission is a right that is granted to
> >> access a resource or 
> >> perform some kind of protected operation.  To a
> >> large degree the 
> >> semantics of permissions are undefined except
> within
> >> a specific 
> >> application.  For example the permission to
> >> accessPayroll may not have 
> >> much meaning outside of an application dealing
> with
> >> payroll management.
> >>
> >> In Triplesec (trunk) a permission is just a label
> >> without any meaning. 
> >> The semantics of the permission is left up to the
> >> application to define.
> >>
> >> Roles
> >> =====
> >>
> >> A Role is a collection of permissions associated
> >> together to represent 
> >> the rights need by one to perform the actions or
> >> activities of a 
> >> function.  For our purposes we can just say a
> role
> >> is a collection of 
> >> permissions.
> >>
> >> As a collection of permissions which are
> application
> >> specific, roles 
> >> themselves become application specific.
> >>
> >> In Triplesec (trunk) a role is just a collection
> of
> >> granted permissions 
> >> with a name.  Roles entries in Triplesec have a
> >> SINGLE-VALUED 'roleName' 
> >> and a MULTI-VALUED 'grants' attribute.  You just
> add
> >> the names of 
> >> permissions to a role entry to add them to the
> role.
> >>
> >> Groups
> >> ======
> >>
> >> Although you can group anything I think we're
> >> talking more about groups 
> >> of users in this context.  Groups are primarily
> used
> >> to make 
> >> administration tasks easier.  By grouping people
> and
> >> the can be managed 
> >> as a single group rather than performing the same
> >> upkeep operations on 
> >> all the members of the group.
> >>
> >> In Triplesec a group is a static LDAP group
> >> (groupOfUniqueNames) or user 
> >> DNs right now.  We may expand this to include
> >> dynamic groups in the future.
> >>
> >> Thoughts? Corrections?
> >>
> >> Alex
> >>
> >>> begin:vcard
> >> fn:Alex Karasulu
> >> n:Karasulu;Alex
> >> org:Apache Software Foundation;Apache Directory
> >> adr:;;1005 N. Marsh Wind Way;Ponte Vedra
> >> ;FL;32082;USA
> >> email;internet:akarasulu@apache.org
> >> title:Member, V.P.
> >> tel;work:(904) 791-2766
> >> tel;fax:(904) 808-4789
> >> tel;home:(904) 808-4789
> >> tel;cell:(904) 315-4901
> >> note;quoted-printable:AIM: alexokarasulu=0D=0A=
> >> 	MSN: aok123@bellsouth.net=0D=0A=
> >> 	Yahoo!: alexkarasulu=0D=0A=
> >> 	IRC: aok=0D=0A=
> >> 	PGP ID: 1024D/4E1370F8 BBCC E8D8 8756 2D51 C3D4
> >> 014A 3662 F96F 4E13 70F8=0D=0A=
> >> 	
> >> x-mozilla-html:FALSE
> >> url:http://people.apache.org/~akarasulu
> >> version:2.1
> >> end:vcard
> >>
> >>
> > 
> > 
> > 
> >  
> >
>
____________________________________________________________________________________
> > Bored stiff? Loosen up... 
> > Download and play hundreds of games for free on
> Yahoo! Games.
> > http://games.yahoo.com/games/front
> > 
> 
> > begin:vcard
> fn:Alex Karasulu
> n:Karasulu;Alex
> org:Apache Software Foundation;Apache Directory
> adr:;;1005 N. Marsh Wind Way;Ponte Vedra
> ;FL;32082;USA
> email;internet:akarasulu@apache.org
> title:Member, V.P.
> tel;work:(904) 791-2766
> tel;fax:(904) 808-4789
> tel;home:(904) 808-4789
> tel;cell:(904) 315-4901
> note;quoted-printable:AIM: alexokarasulu=0D=0A=
> 	MSN: aok123@bellsouth.net=0D=0A=
> 	Yahoo!: alexkarasulu=0D=0A=
> 	IRC: aok=0D=0A=
> 	PGP ID: 1024D/4E1370F8 BBCC E8D8 8756 2D51 C3D4
> 014A 3662 F96F 4E13 70F8=0D=0A=
> 	
> x-mozilla-html:FALSE
> url:http://people.apache.org/~akarasulu
> version:2.1
> end:vcard
> 
> 



 
____________________________________________________________________________________
Bored stiff? Loosen up... 
Download and play hundreds of games for free on Yahoo! Games.
http://games.yahoo.com/games/front

Mime
View raw message