On 10 Jul 2010, at 09:38, Gustaf Neumann wrote:
I am somewhat confused by your terminology. If you are looking for access control management, look for example at xoRBAC, which follows the role based access control model, standardized by the NIST http://wi.wu-wien.ac.at:8002/home/mark/xoRBAC/index.html
Thanks, Gustaf, for bringing this up. I'll be looking at this.
the basic notion in access control is based on <subject> <pred> <object> idea, which subject (individual, user) is allowed to execute which operations (pred) on which objects.
Yes, I am aware of this, if only on a vague level (having so far avoided the need). As this is all to do with describing, in a web framework, which users are allowed to do what, on the lowest level, this may be overkill. But maybe not.
At the moment I've been experimenting with the idea, stolen from UNIX file permissions, that each object has an owner and a group — both of which are optional. Each object has a set of easy UNIX style permissions, but with the additional concept of a 'friend'. So rwxrwxrwxrwx
That is to say what kind of permissions the user has, the user's friends (if defined), members of the group the object belongs to, and other users.
Each method for the object can be defined to be a read, a write or an 'execute' method (like "Send Email"). The system checks the currently logged in user, the method being called, and the access that user has. Later ACLs could be added.
There may be serious drawbacks with this idea, as I'm just experimenting, but it feels appealingly simple. The benefit of simplicity is that then it is almost no effort to specify a base level of access. That means people actually bother doing it, which then leads to better security :-)