directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Karasulu" <>
Subject Re: [TSec convos]
Date Thu, 01 Nov 2007 16:03:58 GMT
On 11/1/07, David Jencks <> wrote:
> Alex wants the additional ability to call "CFO" a group and say it is
> not a role and can't have any permissions directly assigned to it.

No this is not a correct representation.

BAD EXAMPLE WITH CFO:  CFO is a bad choice since it's the Chief (single)
officer which can only be assigned to one user.

BETTER EXAMPLE WITH SalesRepresentative:

Let's say we have a SalesRepresentative role.  Then I may create a group
completely separate from that role called a SalesRepresentativeS: note
capitalized last S to stress the presence of an extra S.

Then I would create a role_assignment with a reference to the
SalesRepresentative role, and a reference to the SalesRepresentativeS group.
This association now makes it so anyone added to the SalesRepresentativeS
automatically gets assigned to the SalesRepresentative role. They now have
all the permissions in this role.


For the CFO I would simply not create a group at all.  Instead I would just
make a role_assignment with a reference to some user and a reference to the
CFO role.

This allows me to easily conduct searches for assignments based on the
objectClass to see immediately who is in the CFO role.

This makes the model weaker (groups have fewer
> capabilities than roles) and more complex (there are more kinds of
> things and relationships).

Dude roles and groups are not one and the same even if they can be modeled
that way.


View raw message