[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Groups vs. Roles
see embedded comments > -----Original Message----- > From: bill parducci [mailto:bill@parducci.net] > Sent: Thursday, July 26, 2001 8:15 AM > To: Simon Y. Blackwell > Subject: Re: Groups vs. Roles > > > > There are some issues with describing a group as an > attribute of a user if > > one is speaking about physical implementation. To support > some operations it > > is useful to think of a group as an entity unto itself. > Group membership > > does not seem to be the same type of thing as say "hair > color", which is > > indeed an attribute of an individual. > > true from the object standpoint, but a group without 'users' is a tree > falling in a deserted forest. probably just a practical semantic, but > pragmatically it is nothing more than a collection of users. > then again, > a user cannot participate within a group without being a member of the > group (group attribute). therefore, it is something of a symbiotic > relationship . either way, at the level i mentally operate, a > group is a > descriptor of a user (i.e. IDENTITY), whereas a role is is a > descriptor > of the user's capabilities. (group: simon is californian, simon's > driver's license let's him operate a vehicle) OK, we're in agreement here ... BTW, what's a driver's license? Do I need one?-) > > > On a slightly different tack, here is a comment extracted > from some Ponder > > docs: > > > > "A role is thus a special case of a group, in which all the > policies have > > the same subject." > > > > This would imply that although roles are useful, one never > has to reference > > a role from a policy. One can simply reference the group > which has a one to > > one mapping with the named role. This is not inconsistent > with my first > > statement: > > > > "For all roles R, there exists a group G such that all > members M of G have > > role R." > > heretical maybe, but i disagree with ponder. i think that in this case > the role is implied. a user cannot 'do' anything, only a role can. > however ever object has at least one role, be it explicit or implicit. > > b Hmmmm ... and thus the need for foundational model! Perhaps it is the tuple of user-role that can do something, not the role alone and not the user alone, i.e. only a user playing a role can do something. Regardless, it does seem possible that given a mapping between some role and at least one group (implict, explicit, and/or dynamic) that contains all and only subjects that play that role, policies need not refer to roles directly, they could always refer to groups. However, they may still have to directly refer to specific subjects. Unless, of course, it is declared there are identity groups that always have exactly one member and a one-to-one mapping with each subject in a system. Note, this could well be logically correct but might result in a policy language that is comprehensible to just a limited set of users since it relies heavily on indirect set-oriented semantics. >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC