directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: [Triplesec] [AuthZ] Environments and Groups
Date Tue, 30 Oct 2007 21:55:48 GMT

On Oct 24, 2007, at 10:29 AM, Alex Karasulu wrote:

> Environments and Groups
> -------------------------------------
> When releases are ready for deployment, systems and applications  
> must be put into
> some operating environment.  Within any environment identities will  
> exist; some
> will be users, some services and some will be specific hosts. These  
> principals for
> the sake of manageability are often categorized together into  
> logical associations.
> By grouping identities together, administrators can handle them as  
> a single entity
> where the same set of tasks may apply to the group whatever those  
> management
> operations may be.
> Although groups are designed by administrators to simplify and  
> reduce their workload,
> it's no coincidence that these groups are highly dependent on an  
> organization's structure
> or the processes within an organization.  General groups may exist  
> for the entire
> organization.  More specific groups will exist for the departments  
> of an organization.
> When processes drive the creation of groups, membership is a based  
> on similar functions
> required of a group's members.  Sometimes processes are isolated to  
> a division, but more
> often than not, processes span across divisions leading to the  
> creation of cross
> divisional groups.

I think this says that there's a set of Users (or principals?) we  
need to keep track of and that if there are more than a few users we  
will want to treat lots of them the same way.  Since we are  
discussing authorization here I think this means that there are sets  
of users we want to grant the same permissions with a single simple  

> We extract more glossary definitions:
> Group:
>    A set of distinctly identifiable entities which are  
> categorically alike within an
>    organization, organizational unit or with respect to some  
> organizational process.
I'm not sure what this means beyond "a group is a set of  users".

I'm sure everyone agrees that we need an easy way to take users who  
need to do the same kind of stuff and treat them all in the same  
way.  Even though "groups" are in most or all existing systems I'm  
not sure our model or our discussion needs a separate concept from  
"roles" to handle them.  To me it seems that conceptually when you  
start with users and ask "who does the same kind of job" you think  
"group" but when you start with permissions and ask "what permissions  
do we need to group together to get a useful task done" you think  

david jencks

View raw message