directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ole Ersoy <ole_er...@yahoo.com>
Subject Re: [Triplesec] Permissions, Roles and Groups
Date Fri, 26 Jan 2007 00:07:15 GMT
Alex - I sent this before I saw the Hierarchical role
stuff...so we could just scratch it...


--- Ole Ersoy <ole_ersoy@yahoo.com> wrote:

> Permissions
> ===========
> 
> Ah - Gotcha - If the Permission is present, then
> access is automatically true.  Makes sense.
> 
> Groups
> ===========
> 
> Hmmm - trying to get the profiles part...
> 
> I think you are saying it's an efficient way of
> doing
> this:
> 
> Suppose I want to know if 
> 
> "Ole"
> 
> has access to 
> 
> "http://some.typical.resource.watteva"
> 
> So I pass "Ole" and
> "http://some.typical.resource.watteva"
> 
> to triplesec.
> 
> triplesec first checks some indexed structure
> if "Ole" is allowed to get
> "http://some.typical.resource.watteva"
> 
> But can't find Ole.
> 
> So,
> Triplesec finds groups that "Ole" belongs
> to in some other indexed structure.
> 
> Then triplesec retrieves roles assigned to the
> groups.
> Then searches through the rolse for a permission
> containing, 
> "http://some.typical.resource.watteva"?
> 
> Cheers,
> - Ole
> 
> 
> 
> --- Alex Karasulu <akarasulu@apache.org> wrote:
> 
> > Ole Ersoy wrote:
> > > 
> > > Permissions
> > > ===========
> > > So would it be correct to say that a permission
> > > is a Class with 3 properties:
> > > 
> > > String name;  //The name of the permission
> > > URI resource;  //The resource/method/operation
> > > Boolean access;  //Whether access is allowed
> > 
> > Hmm I don't think I agree.  The boolean parameter
> is
> > not necessary in my 
> > mind.  In general I like simpler systems where you
> > either have a 
> > permission to do something or you don't have
> access
> > at all.  I don't 
> > like the idea of positive and negative
> permissions. 
> > IMHO they make 
> > things more complex.
> > 
> > This is one of my issues with Java security and
> it's
> > implies method.
> > 
> > > 
> > > Groups
> > > ===========
> > > 
> > > Can we create a group of users and assign a role
> > to
> > > that group, thereby assigning the role to all
> the
> > > users in that group?
> > 
> > Yes effectively you can achieve this result
> however
> > you would not add 
> > the role directly to the group.  At least I don't
> > recommend this.  The 
> > best way IMO to model this in LDAP would be to
> have
> > a profile for the 
> > group.  This is kind of like a link table.
> > 
> > But essentially the answer is yes.
> > 
> > Alex
> > 
> > > --- Alex Karasulu <akarasulu@apache.org> wrote:
> > > 
> > >> Hello,
> > >>
> > >> I would like to have a discussion on the
> meaning
> > of
> > >> these entities in 
> > >> general and with respect to how they are
> modeled
> > in
> > >> Triplesec today in 
> > >> the trunk:
> > >>
> > >>    o Permissions
> > >>    o Roles
> > >>    o Groups
> > >>
> > >> I've been talking to djencks about this stuff
> for
> > a
> > >> bit now as we have 
> > >> started working together on various aspects of
> > >> Triplesec.  I'd like to 
> > >> have a general discussion about these concepts
> > here
> > >> so we can all be on 
> > >> the same page with what they are.  Let me kick
> > this
> > >> off.
> > >>
> > >> Permissions
> > >> ===========
> > >>
> > >> To me a permission is a right that is granted
> to
> > >> access a resource or 
> > >> perform some kind of protected operation.  To a
> > >> large degree the 
> > >> semantics of permissions are undefined except
> > within
> > >> a specific 
> > >> application.  For example the permission to
> > >> accessPayroll may not have 
> > >> much meaning outside of an application dealing
> > with
> > >> payroll management.
> > >>
> > >> In Triplesec (trunk) a permission is just a
> label
> > >> without any meaning. 
> > >> The semantics of the permission is left up to
> the
> > >> application to define.
> > >>
> > >> Roles
> > >> =====
> > >>
> > >> A Role is a collection of permissions
> associated
> > >> together to represent 
> > >> the rights need by one to perform the actions
> or
> > >> activities of a 
> > >> function.  For our purposes we can just say a
> > role
> > >> is a collection of 
> > >> permissions.
> > >>
> > >> As a collection of permissions which are
> > application
> > >> specific, roles 
> > >> themselves become application specific.
> > >>
> > >> In Triplesec (trunk) a role is just a
> collection
> > of
> > >> granted permissions 
> > >> with a name.  Roles entries in Triplesec have a
> > >> SINGLE-VALUED 'roleName' 
> > >> and a MULTI-VALUED 'grants' attribute.  You
> just
> > add
> > >> the names of 
> > >> permissions to a role entry to add them to the
> > role.
> > >>
> > >> Groups
> > >> ======
> > >>
> > >> Although you can group anything I think we're
> > >> talking more about groups 
> > >> of users in this context.  Groups are primarily
> > used
> > >> to make 
> > >> administration tasks easier.  By grouping
> people
> > and
> 
=== message truncated ===



 
____________________________________________________________________________________
Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail beta.
http://new.mail.yahoo.com

Mime
View raw message