[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: ACL Considerations and Concerns
I just wanted to put down some flags on where there may be hazards in consideration of ACLs. (Julian Reschke can also offer experience on the ACL work for WebDAV.) 1. Identifying principles that are the subjects of authorization is important. It is also a challenge. One might want an extensible mechanism even though the kind of principle might be highly-restricted in order to grab the low-hanging fruit. 2. Groups and group memberships are a problem. 3. Inheritance based on location context of a resource is a problem, especially when there can be inter-mingled groups and atomic principles and role notions. 4. The ability to specify exclusions creates complications for all of the above. 5. Wanting an interoperable mechanism that is neutral with regard to specific CMS repositories probably makes this an over-constrained problem. So then the issue is how much pass-through is defined without actually determining the end-point rules. 6. Considering 1-5, agreeing on the access and manipulations that are authorizable (or restrictable) seems easy. It will also raise concerns with respect to (5) and being able to build generic clients (e.g., an Explorer model). - Dennis PS: I am not arguing against addressing this problem, because it does matter in key use cases. The trick is going to find a simple set that doesn't hurt later and doesn't impede having interoperable/generic intermediaries that work well end-to-end. Dennis E. Hamilton ------------------ NuovoDoc: Design for Document System Interoperability mailto:Dennis.Hamilton@acm.org | gsm:+1-206.779.9430 http://NuovoDoc.com http://ODMA.info/dev/ http://nfoWorks.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]