On Oct 27, 2007, at 5:46 PM, Ole Ersoy wrote:
> Hey Guys,
>
> Seen tons of good material from both Alex and David so far, and I
> think I'm getting what Triplesec is supposed to do in general. I
> wonder if it might help to state use cases / concrete examples?
> Here's a quick example:
>
> Use Case / Use Example
> ---------------------------------------------------
> Allow user Joe read access to file below /home/commons/
> on host 192.168.1.64
> ---------------------------------------------------
>
> I think this would allow people on the list to say "Yeah - If I
> could centrally store the rule that Joe should be allowed to read
> everything under /home/commons on 192.168.1.64 that would be really
> valuable." Also people would be able to focus in on the example
> and ask more questions about it, and each mail thread would be
> focus on each use case.
>
> Then we could keep enumerating all the scenarios until everything
> is covered like:
>
> Use Case
> ---------------------------------------------------
> Allow user Joe write access to files below /home/commons/only-joe/
> on host 192.168.1.64
> ---------------------------------------------------
>
> Use Case
> ---------------------------------------------------
> Allow user Apache read access to files below /var/www/html/
> on host 192.168.1.64
> ---------------------------------------------------
>
> (The above are the same use cases / examples. I personally get the
> "Aha!" feeling quicker with lots of examples with minor variations,
> such as as this with one with user being a human user in the first
> case and a daemon in the second...).
>
>
> Use Case
> ---------------------------------------------------
> Create a Role JoeRole
> ---------------------------------------------------
>
> Use Case
> ---------------------------------------------------
> Assign User Joe to JoeRole
> ---------------------------------------------------
> etc
>
> These use cases could be put in separate thread so that so that
> each could be discussed separately from everything else. In this
> last case, people might ask "How would I define Joe
> Programatically?", "Why would I assign Joe to JoeRole?" or "What if
> I wanted to assign JoeRole to JoeDaddyRole?", "Who's your Daddy?",
> etc.
>
> Anyways, just an idea. I'm off vacation for seven days, so sorry
> if I don't get a chance to respond right away, if anyone comments
> on this.
This might be a good idea although I'm afraid of the number of use
cases we will find. I think the ones I'm most interested in (or at
least the ones I can think of quickly) are:
1. I'm an app server, and we've authenticated the user. The user is
trying to access some part of an application. Should I let them?
2. I'm a security admin, and we just hired joe. I need to enter his
info into the system and make it so he has the permissions he needs
to do his job, and no other permissions.
3. I'm a security admin, and we just got a new program. I need to
make it so the people who need to use the program have the
permissions to do so, and no one else does.
4. I'm the administrator of a dynamic content application such as a
portal, and we just added content. I need to assign permissions so
the people who need to see it can and no one else does.
5. I'm the triplesec contractor, and I need to install triplesec in
this system with thousands of existing users, hundreds of
applications, and thousands of permissions. I need to set up
triplesec to work with the existing data.
Just as I'm scared of being able to understand a model spread across
5 email threads, I'm scared of trying to understand use cases spread
through many threads. We'll see :-)
thanks
david jencks
>
> Cheers,
> - Ole
>
>
>
|