directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Karasulu" <>
Subject Re: [Triplesec] [AuthZ] Environments and Groups
Date Wed, 31 Oct 2007 19:03:41 GMT
Hi David,

Again I am condensing down the content removing things we agree on.

On 10/31/07, David Jencks <> wrote:

> (2) A group does not have any security connotation associate with it's
> definition. It's
>      merely an amalgamation.
> <flame>In that case why are we talking about it in the context of an authz
> manager?</flame>

I am not doing that yet.  You are failing to divide and conquer by doing
that yourself.
This thread is about applications and groups.  Look at my original
definitions which
no where mentions an authorization manager.

That's the whole point.

I intend to start discussing these in the context of an authorization
manager later so we don't
get tunnel vision and mix concepts together into on big heap.

(3) Groups are often defined to reduce the amount of management overhead by
> enabling
>      administrators to apply one operation to a group of N members,
> instead of N
>      operations on each member.  The drive to maximize this benefit over
> time brings about
>      different kinds of groupings that naturally align with processes and
> organizational structures.
> (4) A group need not be homogeneous.
> Not sure what you mean by this.
> I don't argue with any of this but don't see how it relates to whether
> "group" is an appropriate concept for an RBAC discussion.  I've never denied
> that existing systems have groups defined in them and we have to work with
> these existing systems.  Just because data is stored in something called a
> "group" doesn't, to me, mean we need to call it a group in our model or
> code.

Well this is where I feel we have a complete disconnect.  Yes we can call a
group a role
and mix concepts together.  This IMO is poor design. Define the entities you
wish to model.
Then start modeling them.  The point is a group exists and to 99% of the
developers, users,
and policy makers out there it is not equivalent to a role.

I don't want to code or maintain this and have to contort my mind to
translate a
natural representation into this model.  The translation costs extra
energy.  The number
of thoughts that can go through anyones mind in a day is finite.  Say we
have a
slew of users, contributors, and committers and so now integrate that wasted
over 99%.  That amounts to a lot of collective energy wasted to conform to
this model
you propose.


View raw message