OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wsrp message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [wsrp][security] 5/15 telecon agenda - access roles

Hi,

regarding to the discussion, I'd like to put some suggestions. If they
aren't original, I'm sorry - this is just my complete point of view (it's
different to my original suggestions):

--

0) I think the standard should support ANY service-specific roles and their
binding to local roles. Later in this text I explain my first suggestion
about standard roles.

--

1) we should assume marking roles with their namespace - e. g.:

<!-- metadata -->
<supported-roles>
  <role name="Administrator"
rolenamespace="http://www.moravia-it.com/service1/roles"/>
  <role name="Team Leader"
rolenamespace="http://www.moravia-it.com/service1/roles"/>
  <role name="Programmer"
rolenamespace="http://www.moravia-it.com/service1/roles"/>
</supported-roles>
<!-- /metadata -->

Reason: 
a) if you plug five portlets from one service to your portal, you bind the
service-specific roles to your roles/groups/people only once, next time you
already have the binding.
b) we can define standard roles for WSRP, for some particular standardized
operations (like ebXML), or for a particular kind of business.

--

2) IMHO the portal should (not MUST) understand some very basic roles if it
wants to support WSRP. I suggest standard roles like (the standard WSRP
namespace is just an example):

     <role name="administrator"
rolenamespace="http://www.oasis-open.org/wsrp-1.0"/> <!-- can set up the
component -->
     <role name="user" rolenamespace="http://www.oasis-open.org/wsrp-1.0"/>
<!-- an authenticated user that can access the portlet content -->

The reason is an easier plugability. It can be enough for many applications.
We could also differentiate reader (any authenticated user who can access
the portlet) and editor (a specific user with more permissions) as I
suggested at the beginning.

--

3) For easier plugability we could also define alternative roles that would
be mapped only to the standard WSRP roles. If the portal doesn't
support/doesn't bind the specific roles they are bind to the standard ones:

<!-- metadata -->
<supported-roles>
  <role name="Administrator"
rolenamespace="http://www.moravia-it.com/service1/roles";>
	<alternativerole name="administrator"
rolenamespace="http://www.oasis-open.org/wsrp-1.0"/>
  </role>
  <role name="Team Leader"
rolenamespace="http://www.moravia-it.com/service1/roles";>
	<alternativerole name="administrator"
rolenamespace="http://www.oasis-open.org/wsrp-1.0"/>
  </role>
  <role name="Programmer"
rolenamespace="http://www.moravia-it.com/service1/roles";>
	<alternativerole name="user"
rolenamespace="http://www.oasis-open.org/wsrp-1.0"/>
  </role></supported-roles>
<!-- /metadata -->

--

4) Names of roles and internationalization
We should assign some ID to roles that can be hard-coded and
language-independent. So the role metadata will be:

  <role id="1" rolenamespace="http://www.moravia-it.com/service1/roles";>
      <caption lang="en-en">Team Leader</caption>
	<description lang="en-en">Team Leader can change the members of
team.</description>
	<caption lang="cs-cz">... another supported language ...</caption>
	<description lang="cs-cz">...</description>
  </role>


I hope this sounds more sensful than my explanation on the phone.

Regards,

Petr PALAS, Moravia IT
petrp@moravia-it.com







-----Original Message-----
From: Cassidy, Mark [mailto:mcassidy@Netegrity.com]
Sent: Wednesday, May 15, 2002 8:26 AM
To: 'wsrp@lists.oasis-open.org'
Subject: [wsrp][security] 5/15 telecon agenda; *** NEW CONFERENCE
CODE***


Note the new conference code for this and future security telecon's:

Time:  8:00 a.m. PST(11:00 a.m. EST, 5:00 p.m. CET)
Reservationless-Plus Toll Free Dial-In Number: 877.450.3529
Reservationless-Plus International Dial-In Number: +1.706.679.6653
Conference Code: 4254674195


I'd like to focus tomorrow's call on access control issues.  We talked last
time about the idea of portlets exposing roles they understand, where roles
drive levels of service access to the requestor.  We also discussed the
notion of  portals providing binding of users to roles.  Some questions to
discuss:

1.  What are common scenarios for roles?  Seems like (user, admin) is the
most common scenario.
2.  Do we need to support the concept of roles in WSRP?  I believe the
answer here is yes, but would be good to discuss.
3.  Are portlets required to support roles?  I would think not required.
4.  If a portlet exposes roles, is a portal required to understand them?
5.  If the answer to above is yes, can we define a standard set of roles to
make it easier for portals and portlets to implement?


 <<wsrp security minutes 5.8.htm>>  <<wsrp security minutes 5.1.htm>>  
<<Security requirements0.1.htm>>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC