directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From metcox <met...@gmail.com>
Subject [Triplesec]
Date Thu, 23 Aug 2007 11:14:43 GMT
Hi,

In my application I use  Apache directory Server - but the application
should be pluggable with any other directory - and the triplesec api
to manage authentication and authorization.
With this combination I can add a grant to a role without having to
define the related permission.
I know it's not possible with a full triplesec solution but it's
something I'm looking for because I need to add dynamic grants. It
means an application admin (or a user which is able to add grants to
another user) could build a grant.
For instance:
"viewjob JOB" - the user is able to see the job JOB
"viewjob *" - the user is able to see all the jobs
or more complicated "viewjob *[status='SUCCESS']" - view all the job
with success status.
So this kind of permission can't already exist, or be created on the
fly without a complex permission management:
- if the permission don't already exist -> create a new one
- if the grant is removed -> delete the permission or another user
have this permission?
- if the grant is rename -> remove the permission and create a new
one, or just rename the permission?

So my questions are:
- Is it possible to use triplesec api (guardian and admin) without
using the triplesec server. For instance, can I use the guardian api
with a OpenLdap server?
- is it possible to add grants to a role (or a profile) without having
to define a related permission?

Regards,

Mathieu

Mime
View raw message