directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ersin Er" <>
Subject Re: [Triplesec] Permissions, Roles and Groups
Date Thu, 25 Jan 2007 19:26:51 GMT
On 1/25/07, Alex Karasulu <> wrote:
> Hello,


I will extend the discussion using my recent experience with the subject.

> I would like to have a discussion on the meaning of these entities in
> general and with respect to how they are modeled in Triplesec today in
> the trunk:
>    o Permissions
>    o Roles
>    o Groups

These can be extended to the following entities:


Subjects include any LDAP representable (or somewhat more abstract)
user group: LDAP Group, LDAP User, Different User Selections based on
some filter or bind options etc.

Rules are the actions that can be permitted to subjects. The most
common rule type is URL Access Rules. In Triplesec's case, the thing
supported by this scheme can be named as String Rules. Triplesec does
not really control access but only allows it to be queried. (May be I
am wrong.) A real Access Control server should really take the control
of access to the resources it is protecting. The resource in case of a
URL Access Rule is a URL for example. An Access Control system should
be aware of or should be in contact with the resource it's protecting.
This can generally be provided by an agent installed on the resource
side without effecting the resource itself.

Conditions may depend on the type of Rules or may be generic. For
example, you may specify the time period a resource is allowed to be

I will not go on inlining my comments below because I think I have
changed the topic a little bit. If what I am talking is far different
from Triplesec's model or aims, we ca just ignore them. Or we may
merge the schemes as we're discussing.



> I've been talking to djencks about this stuff for a bit now as we have
> started working together on various aspects of Triplesec.  I'd like to
> have a general discussion about these concepts here so we can all be on
> the same page with what they are.  Let me kick this off.
> Permissions
> ===========
> To me a permission is a right that is granted to access a resource or
> perform some kind of protected operation.  To a large degree the
> semantics of permissions are undefined except within a specific
> application.  For example the permission to accessPayroll may not have
> much meaning outside of an application dealing with payroll management.
> In Triplesec (trunk) a permission is just a label without any meaning.
> The semantics of the permission is left up to the application to define.
> Roles
> =====
> A Role is a collection of permissions associated together to represent
> the rights need by one to perform the actions or activities of a
> function.  For our purposes we can just say a role is a collection of
> permissions.
> As a collection of permissions which are application specific, roles
> themselves become application specific.
> In Triplesec (trunk) a role is just a collection of granted permissions
> with a name.  Roles entries in Triplesec have a SINGLE-VALUED 'roleName'
> and a MULTI-VALUED 'grants' attribute.  You just add the names of
> permissions to a role entry to add them to the role.
> Groups
> ======
> Although you can group anything I think we're talking more about groups
> of users in this context.  Groups are primarily used to make
> administration tasks easier.  By grouping people and the can be managed
> as a single group rather than performing the same upkeep operations on
> all the members of the group.
> In Triplesec a group is a static LDAP group (groupOfUniqueNames) or user
> DNs right now.  We may expand this to include dynamic groups in the future.
> Thoughts? Corrections?
> Alex


View raw message