Return-Path: Delivered-To: apmail-directory-dev-archive@www.apache.org Received: (qmail 3726 invoked from network); 31 Oct 2007 18:46:38 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 31 Oct 2007 18:46:38 -0000 Received: (qmail 32901 invoked by uid 500); 31 Oct 2007 18:46:25 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 32676 invoked by uid 500); 31 Oct 2007 18:46:25 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 32665 invoked by uid 99); 31 Oct 2007 18:46:25 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 31 Oct 2007 11:46:25 -0700 X-ASF-Spam-Status: No, hits=2.0 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of akarasulu@gmail.com designates 209.85.146.180 as permitted sender) Received: from [209.85.146.180] (HELO wa-out-1112.google.com) (209.85.146.180) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 31 Oct 2007 18:46:29 +0000 Received: by wa-out-1112.google.com with SMTP id m38so321590waf for ; Wed, 31 Oct 2007 11:46:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:references:x-google-sender-auth; bh=ZI34F0qBUiGSatXuRUvnY3W65Q0HGtA63JQtGSt60BI=; b=sXmFjNMiq9A+OM8jNoDjwrQL6vFnpxwRpBePI9StEDB9fpuWE4B92Y7oK17S5nwRjDPSoIX8s/I1c40zZCgldtyk3Ln5DalXTvyhq2mGVh0MEzqcCag0M7gwB5Vo0w9ar6u5sAsTMV03guKlF05U7sK2T6SrCeX785dBt9pjpiM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:references:x-google-sender-auth; b=eVFEgos1q1FZ22qDbznhzIn5FyMdhgUye6a0xb2mZ4Xer2LyfY3U647mZ8fm3s+lnXkMr6c+PMZ3tX8e4ldsPSrob5CoFzYBQN3P4cDKnjk9xb7v5h53Wd004lSbUAeilFIq4IOGeDs+CL9kCKBzE17vgfDMI+Tm0YuYRg/9N9w= Received: by 10.115.59.4 with SMTP id m4mr2032428wak.1193856363099; Wed, 31 Oct 2007 11:46:03 -0700 (PDT) Received: by 10.115.18.12 with HTTP; Wed, 31 Oct 2007 11:46:03 -0700 (PDT) Message-ID: Date: Wed, 31 Oct 2007 14:46:03 -0400 From: "Alex Karasulu" Sender: akarasulu@gmail.com To: "Apache Directory Developers List" Subject: Re: [Triplesec] [AuthZ] Applications and Roles In-Reply-To: <568FB53A-9047-4AC7-A64C-35342FF9365E@yahoo.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_9342_19716815.1193856363099" References: <568FB53A-9047-4AC7-A64C-35342FF9365E@yahoo.com> X-Google-Sender-Auth: c9996d059ccc75a2 X-Virus-Checked: Checked by ClamAV on apache.org ------=_Part_9342_19716815.1193856363099 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi David, I'm going to start condensing a bit by removing points we agree on again. On 10/31/07, David Jencks wrote: ... > that we agree on the role-permission side of roles :-) > Yes but not on putting users into roles. ... I don't think so. In my thinking a role or permission is globally unique, > for instance if we are using ldap its "full name" might be its dn. So far I > can't imagine any use except increasing confusion for any concept of > redefining. I'll listen if you have some ideas :-) > We both agree on (really like) this idea of using scopes with visibility rules. Perhaps in a little bit we can add more clarification to this concept and better define the scoping rules that govern it. ... > #2 is about Role assignment and does not belong in the definition of a > Role. > Roles are independent of users and groups. > > > I'm not convinced. If roles are associated to either users or groups, we > can talk about the association at either end: either at the role end or the > [user|group] end. > Well my aim was not to take any particular side by defining an entity in our model called a role_assignment. The role_assignment does the association and then direction does not matter. Similarly we could talk about the role-permission association at either the > role end or the permission end. If you don't like this I'm going to request > that we describe all the associations as separate entities so there is no > bias about which way the association points. > Great this is what I've been doing all along with role assignments. role-assignment objects contain the associations of users to roles. This way roles are purely defined as a set of references to permissions. That's an implementation detail. > Not really we're still dealing with an abstract model. Furthermore it's a matter of being impartial. ... Alex ------=_Part_9342_19716815.1193856363099 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi David,

I'm going to start condensing a bit by removing points we agree on again.

On 10/31/07, David Jencks < david_jencks@yahoo.com> wrote:

...


that we agree on the role-permission side of roles :-)

Yes but not on putting users into roles.

...

I don't think so.  In my thinking a role or permission is globally unique, for instance if we are using ldap its "full name" might be its dn.  So far I can't imagine any use except increasing confusion for any concept of redefining.  I'll listen if you have some ideas :-)

We both agree on (really like) this idea of using scopes with visibility rules.  Perhaps in a little
bit we can add more clarification to this concept and better define the scoping rules that govern it.

...
#2 is about Role assignment and does not belong in the definition of a Role.
Roles are independent of users and groups.

I'm not convinced.  If roles are associated to either users or groups, we can talk about the association at either end: either at the role end or the [user|group] end. 

Well my aim was not to take any particular side by defining an entity in our model called a
role_assignment.  The role_assignment does the association and then direction does not matter.

Similarly we could talk about the role-permission association at either the role end or the permission end.  If you don't like this I'm going to request that we describe all the associations as separate entities so there is no bias about which way the association points. 

Great this is what I've been doing all along with role assignments.  role-assignment
objects contain the associations of users to roles.  This way roles are purely defined
as a set of references to permissions.

That's an implementation detail.

Not really we're still dealing with an abstract model.  Furthermore it's a matter of being impartial.

...

Alex
------=_Part_9342_19716815.1193856363099--