directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Niclas Hedhman <>
Subject Re: [TSec convos]
Date Thu, 01 Nov 2007 05:50:36 GMT
On Wednesday 31 October 2007 00:22, Alex Karasulu wrote:
> Alex:
>    Summary: Groups are distinct from Roles.  Roles should not contain Users
> and are merely a set of permissions or permissions and other roles.
>     User can be added to groups: Group<Users>.  A user or a Group<User>
> be associated with something called a RoleAssignment which assigns one or
> more Role<Permissions> to that user or group.  Roles only contain
> permissions.  Groups contain users with clear separation.

I have tried to follow this discussion (ain't easy), but let me chip in a 
reflection, that may or may not been covered....

There is difference in "Role" when talking "Roles of User" vs "Permissions of 
Role". Meaning; Any organisation I have been involved with, want to view all 
their users as collections, often called Roles, e.g. "Senior 
Developer", "Network Administrator", "Chief Financial Officer" and so forth. 
Such Role(s) is/are "assigned" to a particular user.

When looking at the applications Permission system, we are also talking Roles, 
as a set of Permissions that Alex is saying above. These roles are often 
defined by the application/resource itself.

At Triplesec level, you want to be able to correlate that CFO (org role) 
implies the role "Finance Package Admin" (app role).

Hope you can work out the different perspectives you guys have...

Niclas Hedhman, Software Developer

I  live here;
I  work here;
I relax here;

View raw message