Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
RE: [higgins-dev] AuthZ observation

Prateek,

Prateek wrote:
> 
> Who is publishing the policy - "UserX has OperationY access to
> ResourceZ"? Is it the owner or custodian of the resource? Or is it
> someone else?

owner/custodian

<snip>
> 
> I guess identifying the different players here would help me understand
> the problem better
> 

Prateek, you may be getting confused by IdAS terminology. When Duane talks
about entities he means data objects managed by IdAS. [These objects are
called "nodes" in Higgins 1.0 and will be renamed "entities" in Higgins
1.1.] So when Duane refers to "ResourceZ" he means EntityZ. Duane's first
bullet is his concerned about the downstream (negative) implications of
allowing EntityZ/ResourceZ to change its "id". 

[My two cents: I thought entityids were immutable. But I'm looking at the
wiki and can't find anywhere where it actually says that!.]

-Paul


> >
> > Duane made this observation:
> >
> >
> > * If AuthZ allows us to express something like "UserX has OperationY
> > access to ResourceZ", then we must disallow renames of entities.
> >
> > ** Otherwise, if the "UserX" or "ResourceZ" entities are renamed, we
> > have a problem where the AuthZ is disconnected.
> >
> > *** Worse, if UserX is removed, and another one added, they will be
> > unwittingly granted access.
> >
> >
> > This is especially true if we allow the AuthZ to be managed by a
> > layered CP, because the underlying Context might be directly accessed
> > to perform a rename, leaving the upper "authZ CP" unaware of the fact
> > that it has a disconnected authZ statement.
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > higgins-dev mailing list
> > higgins-dev@xxxxxxxxxxx
> > https://dev.eclipse.org/mailman/listinfo/higgins-dev
> >
> 
> _______________________________________________
> higgins-dev mailing list
> higgins-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/higgins-dev



Back to the top