Return-Path: Delivered-To: apmail-directory-dev-archive@www.apache.org Received: (qmail 71964 invoked from network); 30 Jan 2007 14:20:29 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 30 Jan 2007 14:20:29 -0000 Received: (qmail 55960 invoked by uid 500); 30 Jan 2007 14:20:35 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 55927 invoked by uid 500); 30 Jan 2007 14:20:35 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 55890 invoked by uid 99); 30 Jan 2007 14:20:35 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Jan 2007 06:20:35 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: domain of gcaidd-directory-dev@m.gmane.org designates 80.91.229.2 as permitted sender) Received: from [80.91.229.2] (HELO ciao.gmane.org) (80.91.229.2) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Jan 2007 06:20:25 -0800 Received: from root by ciao.gmane.org with local (Exim 4.43) id 1HBtq6-0003tc-Pj for dev@directory.apache.org; Tue, 30 Jan 2007 15:20:02 +0100 Received: from colbert-ext.lid.theveniceproject.com ([89.251.0.64]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 30 Jan 2007 15:20:02 +0100 Received: from sbailliez by colbert-ext.lid.theveniceproject.com with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 30 Jan 2007 15:20:02 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: dev@directory.apache.org From: Stephane Bailliez Subject: Re: [Triplesec] Permissions, Roles and Groups Date: Tue, 30 Jan 2007 15:16:36 +0100 Lines: 34 Message-ID: <45BF5344.5090009@gmail.com> References: <45B8FEAE.6060307@apache.org> <45B91570.1080502@apache.org> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: colbert-ext.lid.theveniceproject.com User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) In-Reply-To: Sender: news X-Virus-Checked: Checked by ClamAV on apache.org Ersin Er wrote: >> > These can be extended to the following entities: >> > >> > Policies >> > Subjects >> > Rules >> > Conditions >> >> Where is this from? Is this SUN's commercialized names for things they >> have in their access control manager? > > Well, these are not only SUN's terminology but generic entity > descriptors that needs to be provided by a powerful access control > system. > > What we call Users and Roles in Triplesec can be extended to the term > Subject. > > We don't have anything like Rules, although we must have. We just use > abstract strings as David said. But this is not for controlling access > but for storing abstract permission information. > > And Conditions are still a required property. Beyond selecting the > subjects and resources, we may need to satisfy more conditions like > Authentication Level, IP Address, LDAP Filter, Time etc. > > These all are also proposed by NIST spec and XACML. Good point. A permission could indeed be temporal or subject to other bizrules. -- stephane