[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Folder proposal overview
<from meeting note 5/13/04> Folder idea (carry over from F2F). Farrukh not present. Duane’s concern that it could violate the MVC and bring registry into UI. </from meeting note 5/13/04> I had explained this at the New Orleans f2f that everything I propose is part of Information Model (the M in MVC). There is no violation of MVC by introducing view into the specs. We are defining a registry and a repository. All repositories support a notion of files and folders as part of their model to facilitate structural organization of content (see nt:file and nt:folder in JSR 170 for example). This has nothing to do with views (how the structure is displayed). No let us go back to the motivation of why I am proposing this enhancement in historical retrospective perspective... In version 2.5 we added an HTTP interface that allowed all RegistryObjects and RepositoryItems to be accessible via a URL based upon its id. The problem was that the URL was meaningless to the submitter (kind of like a KAVI URL). So next we introduced post 2.5 and approved the "User defined URL" feature. This feature augmented the HTTP interface by allowing a submitter to optionally provide one or more user defined URLs that were meaningful to the user. This was a major improvement. However we still have an issue that user-defined URLs have no access control. Anyone can assign any (potentially misleading) URL to objects they own. For example lets us say Duane is using the following URLs prefix for all hist objects: ..../userData/duane/.... Now along comes Farrukh and submits some false information allegedly pertaining to Duane under the URL: ..../userData/duane/companyInfo/aboutDuanesCompany.html There is absolutely nothing that Duane can do since I published that URL on *MY* object. But the damage is done to Duane's stellar reputation. The File/Folder metaphor proposal augments the user-defined URLto allow Duane to protect his stellar reputation. The Registry has a userData folder as root of all userData. The folders access control allows anyone to create files and folders in it. Duane creates a folder named "duane" under it and sets its access control to only allow Duane and possible his dear wife and some choice friends to create files and folders under it. I simply will not be able to write my slanderous files under Duane's folder. Dang! ;-) How would this work? Quite simple really. We use some of our existing "few good primitives" and put them to work for this use case as follows... To create a Folder one creates a RegistryPackage. To assign access control to a folder access control one uses "reference access control" using XACML ACP that we already support. See a couple of examples attached. The examples have comments explaining things. To create a file within a folder one simply creates a RegistryObject (which could be a RegistryPackage / folder) and adds it as a member of the RegistryPackage for the folder. The file can have its own ACP. This is just like Unix file system permissions which is a tried and trusted model. BTW Unix filesystem is not violating MVC - is it? Finally, note that we do not have to introduce any new "Folder" or "File" type in RIM. In fact we do not have to change RIM at all! In summary, with little effort we provide a valuable enhancement to our repository feature. Does this explaination address some of the concerns and clear some misunderstandings? PS: My apologies for missing yesterday's meeting. My best friend's epic 2 month long wedding party had another significant event. -- Regards, Farrukh
<?xml version="1.0" encoding="UTF-8"?> <PolicySet xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:policy C:\tmp\xacml\cs-xacml-schema-policy-01.xsd" PolicySetId="urn:oasis:names:tc:ebxml-regrep:3.0:rim:acp:policy:folderACP1" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides"> <Description> This PolicySet restricts adding members to RegistryPackage resource to Role ProjectLead </Description> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <AnyAction/> </Actions> </Target> <PolicyIdReference>urn:oasis:names:tc:ebxml-regrep:3.0:rim:acp:policy:policyid:permit-anyone-to-read</PolicyIdReference> <PolicyIdReference>urn:oasis:names:tc:ebxml-regrep:3.0:rim:acp:policy:policyid:permit-owner-all</PolicyIdReference> <PolicyIdReference>urn:oasis:names:tc:ebxml-regrep:3.0:rim:acp:policy:policyid:permit-registryadministrator-all</PolicyIdReference> <Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:policy C:\tmp\xacml\cs-xacml-schema-policy-01.xsd" PolicyId="urn:oasis:names:tc:ebxml-regrep:3.0:rim:acp:policy:permit-projectLead-addMember" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> <Description> Allow Subjects with ProjectLead role to add members to any resource associated with this ACP. </Description> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <AnyAction/> </Actions> </Target> <Rule RuleId="urn:oasis:names:tc:ebxml-regrep:3.0:rim:acp:rule:ruleid:permit-projectLead-addMember-rule" Effect="Permit"> <Description> Allow Subjects with ProjectLead role to add members to any resource. </Description> <Target> <Subjects> <Subject> <!-- Match role ProjectLead --> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>/urn:uuid:41ce5ef5-2117-4304-baf5-feb35295c1c1/ProjectMember/ProjectLead</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:ebxml-regrep:3.0:rim:acp:subject:roles" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <Action> <!-- Match "reference" action --> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>reference</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> </Actions> </Target> <!-- Match condition where all the following are true: 1. reference is being made via the attribute sourceObject (from an Association instance) 2. The associationType attribute of the Association matches the id for associationType HasMameber Above is equivalent to saying Match any HasMember associations where the resource (the RegistryPackage) is the sourceObject. --> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>SourceObject</AttributeValue> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:ebxml-regrep:3.0:rim:acp:action:reference-source-attribute" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI";>urn:uuid:2d03bffb-f426-4830-8413-bab8537a995b</AttributeValue> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-one-and-only"> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:ebxml-regrep:3.0:rim:acp:action:reference-source-attribute-filter:associationType" DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> </Apply> </Apply> </Condition> </Rule> </Policy> </PolicySet>
<?xml version="1.0" encoding="UTF-8"?> <PolicySet xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:policy C:\tmp\xacml\cs-xacml-schema-policy-01.xsd" PolicySetId="urn:oasis:names:tc:ebxml-regrep:3.0:rim:acp:policy:rootFolderACP" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides"> <Description> This PolicySet restricts adding members to RegistryPackage resource to Role ProjectLead </Description> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <AnyAction/> </Actions> </Target> <PolicyIdReference>urn:oasis:names:tc:ebxml-regrep:3.0:rim:acp:policy:policyid:permit-anyone-to-read</PolicyIdReference> <PolicyIdReference>urn:oasis:names:tc:ebxml-regrep:3.0:rim:acp:policy:policyid:permit-owner-all</PolicyIdReference> <PolicyIdReference>urn:oasis:names:tc:ebxml-regrep:3.0:rim:acp:policy:policyid:permit-registryadministrator-all</PolicyIdReference> <Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:policy C:\tmp\xacml\cs-xacml-schema-policy-01.xsd" PolicyId="urn:oasis:names:tc:ebxml-regrep:3.0:rim:acp:policy:permit-projectLead-addMember" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> <Description> Allow Subjects with ProjectLead role to add members to any resource associated with this ACP. </Description> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <AnyAction/> </Actions> </Target> <Rule RuleId="urn:oasis:names:tc:ebxml-regrep:3.0:rim:acp:rule:ruleid:permit-registryAdmin-addMember-rule" Effect="Permit"> <Description> Allow Subjects with ProjectLead role to add members to any resource. </Description> <Target> <Subjects> <Subject> <!-- Match role RegistryAdministrator --> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>/urn:uuid:41ce5ef5-2117-4304-baf5-feb35295c1c1/RegistryAdministrator</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:ebxml-regrep:3.0:rim:acp:subject:roles" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <Action> <!-- Match "reference" action --> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>reference</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> </Actions> </Target> <!-- Match condition where all the following are true: 1. reference is being made via the attribute sourceObject (from an Association instance) 2. The associationType attribute of the Association matches the id for associationType HasMameber Above is equivalent to saying Match any HasMember associations where the resource (the RegistryPackage) is the sourceObject. --> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>SourceObject</AttributeValue> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:ebxml-regrep:3.0:rim:acp:action:reference-source-attribute" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI";>urn:uuid:2d03bffb-f426-4830-8413-bab8537a995b</AttributeValue> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-one-and-only"> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:ebxml-regrep:3.0:rim:acp:action:reference-source-attribute-filter:associationType" DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> </Apply> </Apply> </Condition> </Rule> </Policy> </PolicySet>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]