shibboleth-dev - Re: ARP ACLs and authorization
Subject: Shibboleth Developers
List archive
- From: "Michael A. Grady" <>
- To: ,
- Subject: Re: ARP ACLs and authorization
- Date: Fri, 29 Mar 2002 17:28:32 -0600 (CST)
> From: Parviz Dousti
> <>
>
> Here is the way I see it:
>
> In general and for most cases the two level model (user and Admin) would
> work fine. But there would be cases that a group of users might want to
> delegate the task of managing their ARP ( a resource branch of it) to
> someone. Also I can see that Admin might want to delegate the management
> of some ARP:Resource objects in to someone else.
>
> Here is how I propose we do it:
> - I am going to assume for now that we only have "insert" access right.
> Of course it can be easily expanded to other rights.
>
> - Given the ARP model we talked about
> (http://icap.andrew.cmu.edu/aa/AA.htm) each of the following objects would
> have an ACL.
> - ARP object.
> - ARP:SHAR object.
> - ARP: RESOURCE object.
>
> - Think of ACL as a set of uids. Users who are in the ACL of and object
> can "insert" an object hanging off of that object. e.g. if user foo is in
> the ACL of SHAR object of my ARP, foo can create a new RESOURCE object for
> me.
>
When you say a 'set of uids', I assume you are talking generically? E.g. that
a uid might actually represent a group, or 'self', or a DN from a directory?
You don't literally mean storing ACLs whose values are the actual usernames?
> - Basically that is all! Once we expand the rights to read, write,
> browse, and admin(change ACL), etc. we can control it all.
>
> - Notice that ARP:ATTR does not have an ACL as I see the filter as an
> integral part ARP:ATTR object.
>
> What do you think?
>
> Parviz
>
>
>
--
Michael A. Grady
Senior Research Programmer http://ljordal.cso.uiuc.edu
Computing & Communications Services Office (217) 244-1253 phone
University of Illinois at Urbana-Champaign (217) 265-5635 fax
Rm. 103, MC 680, 2212 Fox Drive, Suite C Champaign, IL 61820
------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at
http://archives.internet2.edu/
------------------------------------------------------mace-shib-design--
- ARP ACLs and authorization, Parviz Dousti, 03/29/2002
- <Possible follow-up(s)>
- Re: ARP ACLs and authorization, Michael A. Grady, 03/29/2002
- Re: ARP ACLs and authorization, Parviz Dousti, 03/30/2002
- Re: ARP ACLs and authorization, Michael A. Grady, 03/30/2002
- RE: ARP ACLs and authorization, Scott Cantor, 03/30/2002
- Re: ARP ACLs and authorization, Michael A. Grady, 03/30/2002
- RE: ARP ACLs and authorization, Scott Cantor, 03/30/2002
- Re: ARP ACLs and authorization, Michael A. Grady, 03/30/2002
Archive powered by MHonArc 2.6.16.