directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Karasulu" <akaras...@apache.org>
Subject Re: [Triplesec] [AuthZ] Applications and Roles
Date Sat, 27 Oct 2007 18:17:33 GMT
Hi Stefan,

On 10/26/07, Stefan Seelmann <seelmann@apache.org> wrote:
>
> Is one role limited to aggregate permissions within an application?
>
> What about
> - roles that aggregate roles (hierarchical roles)


Oh yes we can have role hierarchies where roles are a set of permissions
and
a set of other roles.  I even like the idea of multiple inheritance with
role hierarchies,
where a role can reference more than one super role.  Without multiple
inheritance
a role could only have zero or one superior roles.

Role inheritance is critical for real world use cases.

- roles that aggregate roles and permissions of different applications
> or systems (enterprise roles)


The short answer is yes but there are some details that would need to be
addressed based on the scope in which the role is defined.

Alex

> Applications and Roles
> > ---------------------------------
> >
> > Application designers devise security permissions and roles specific to
> > applications.  These
> > roles represent a set of rights authorizing principals to perform
> > operations or access resources
> > that must be allowed to fulfill a specific coherent function within
> > applications.  These rights to
> > access resources are the permissions.  The set of these permissions,
> > needed for a logical
> > function to be conducted in the application, is a role.
> >
> > To be concise we extract the following glossary definitions:
> >
> > Permission:
> >    A right required by a system or application to authorize principals
> > to perform a
> >    specific operation or access a resource in some manner.
> >
> > Role:
> >    A set of permissions required by a principal to be authorized to
> > fulfill a logical function
> >    within a system or application.
> >
> > Thanks,
> > Alex
>
>

Mime
View raw message