directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Karasulu" <>
Subject Re: [Triplesec] [AuthZ] Environments and Groups
Date Wed, 31 Oct 2007 04:19:28 GMT
Hi David,

On 10/30/07, David Jencks <> wrote:
> On Oct 24, 2007, at 10:29 AM, Alex Karasulu wrote:
> > Environments and Groups
> > -------------------------------------
> >
> > When releases are ready for deployment, systems and applications
> > must be put into
> > some operating environment.  Within any environment identities will
> > exist; some
> > will be users, some services and some will be specific hosts. These
> > principals for
> > the sake of manageability are often categorized together into
> > logical associations.
> > By grouping identities together, administrators can handle them as
> > a single entity
> > where the same set of tasks may apply to the group whatever those
> > management
> > operations may be.
> >
> > Although groups are designed by administrators to simplify and
> > reduce their workload,
> > it's no coincidence that these groups are highly dependent on an
> > organization's structure
> > or the processes within an organization.  General groups may exist
> > for the entire
> > organization.  More specific groups will exist for the departments
> > of an organization.
> > When processes drive the creation of groups, membership is a based
> > on similar functions
> > required of a group's members.  Sometimes processes are isolated to
> > a division, but more
> > often than not, processes span across divisions leading to the
> > creation of cross
> > divisional groups.
> >
> I think this says that there's a set of Users (or principals?) we
> need to keep track of and that if there are more than a few users we
> will want to treat lots of them the same way.

Yes I was referring specifically to groups of users.

But not suggesting that "we" store group definitions and their members in
necessarily.  Users might do so with a Triplesec only solution if external
systems are not
to be utilized.  Most likely we will be dealing with the mixed case where
users and groups
are defined in Triplesec and within external systems.  Triplesec will need
to use some
techniques we can discuss later to refer to these externally defined

Since we are
> discussing authorization here I think this means that there are sets
> of users we want to grant the same permissions with a single simple
> operation.

Well I'm just talking about the purpose of grouping in general.  I think we
can get
into this aspect in the role assignments thread. For now groups are just
sets of
objects although I refer to user groups specifically above.

> We extract more glossary definitions:
> >
> > Group:
> >    A set of distinctly identifiable entities which are
> > categorically alike within an
> >    organization, organizational unit or with respect to some
> > organizational process.
> >
> I'm not sure what this means beyond "a group is a set of  users".

Well you can group many things besides just human users.  We can group
printers, processes, even organizations and their divisions etc.

I'm sure everyone agrees that we need an easy way to take users who
> need to do the same kind of stuff and treat them all in the same
> way.

Yes!  That's it.  This is all we need to agree on in this thread.

Even though "groups" are in most or all existing systems I'm
> not sure our model or our discussion needs a separate concept from
> "roles" to handle them.

No! It was going so well then this :). Groups have no security connotation
with them.  They're just sets or collections of objects.  Some groups may
have a
uniqueness requirement so they're sets of objects.  Others don't so they're
of objects.

Groups can be extended in several ways and we can talk about that later but
as a teaser
we have the following concepts/extensions:

   o nested groups
   o static groups
   o dynamic groups

To me it seems that conceptually when you
> start with users and ask "who does the same kind of job" you think
> "group" but when you start with permissions and ask "what permissions
> do we need to group together to get a useful task done" you think
> "role".

You're mixing concepts here.  I will state what I consider to be some pretty
and simple facts about groups and you can refute or agree with them:

(1) A group is a set or collection of objects.
(2) A group does not have any security connotation associate with it's
definition. It's
     merely an amalgamation.
(3) Groups are often defined to reduce the amount of management overhead by
     administrators to apply one operation to a group of N members, instead
of N
     operations on each member.  The drive to maximize this benefit over
time brings about
     different kinds of groupings that naturally align with processes and
organizational structures.
(4) A group need not be homogeneous.

Not sure about the value #3 provides to the discussion but it sounds good to
say :-D.


View raw message