On Fri, 18 Jan 2002 12:13, MCCAY,LARRY (HP-NewJersey,ex2) wrote: > > So Role would be another principle? In effect you would do a > > mapping from > > "identity" principle to "ROle" principle and then just use > > that? > > Actually, I was thinking that the concept of role could be implemented in > policy by a collection of permissions. Specifying the mapping between any > given principal - say a group principal representing membership to a group > called adminstrators - is mapped to a set of permissions within a given > policy context (application) thereby granting these permissions to any > Subject containing the AdministratorPrincipal - this collection of > permissions can be identified by name - which is basically role-name in > J2EE terms.
Not entirely sure where the difference between two above explanations is ;) Is it just that in the I described it you changed principles while the way you describe it you just add a new principle (the Group/ROle principle) to the subject? > The mapping of the principals to permissions would be done in terms of > principal type and value to necessary permissions within a given policy > context (application) and accomplished through the administrative interface > exposed through JMX. > > This is very much in line with the JSR 115 effort - which is in community > draft, currently. Providing this JSR is successful, compliance would > enable the ability to plug in arbitrary authorization providers. > > http://www.jcp.org/jsr/detail/115.jsp sounds good. > BTW - AAA is Authentication, Authorization and Administration - I usually > add a fourth - Auditing. > > :-) kool. Got the first two - no idea on third or fourth ;) -- Cheers, Pete ---------------------------------------- Why does everyone always overgeneralize? ---------------------------------------- -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
