Shibboleth Developers

[Parviz Dousti <>]

--On Friday, March 29, 2002 5:28 PM -0600 "Michael A. Grady" 
<> wrote:

> >   - Think of ACL as a set of uids.  Users who are in the ACL of and
> >   object  can "insert" an object hanging off of that object.  e.g. if
> > user foo is in  the ACL of SHAR object of my ARP,  foo can create a new
> > RESOURCE object for  me.
>
> When you say a 'set of uids', I assume you are talking generically? E.g.
> that a uid might actually represent a group, or 'self', or a DN from a
> directory? You don't literally mean storing ACLs whose values are the
> actual usernames?

I really don't want to implement a full fledge authorization system.  I 
specifically did not have groups in mind when I wrote that.  I like to have 
the notion of ACLs in the design and implement the minimum that would make 
this project useful at this time.  Of course we would make sure to make it 
easily expandable and can use an external authorization module.  I think 
time would tell how this system would be used and in which direction it 
would be expanded.


------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

   http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--