Hi Geert, Example: For one application you have viewers, authors, reviewers, approvers, etc. They are over different sets of data and the requirement specifies that they can only see or search for what they are authorized to see as the data moves through the content pipeline. Some need view/approve, some can view/review, some can do it all, etc. This makes it necessary for many combinations of these roles to be created in the MarkLogic server. We have many apps with different fine grained roles that can be assigned. This makes for a "combinatorial" growth of users mapped to roles that has to be maintained in ML.
If bob has 7 roles and an 8th is needed. A different user of some kind would need to exist or be created to grant that kind of access. When they login, all the roles from all the apps must be combined into one user granting only what they have. Rather than somehow generate and manage users with all possible combinations of roles, we just create a user with that user's same username from LDAP, grant the roles on the fly, and log them in (on a redirected call if needed) using application-level authorization. Then on session timeout or inactivity for a prescribed time, we remove the sessions, profile, and user in a scheduled task, (fairly straight forward, but with a few caveats). This method also allows the app to look at who is logged in for finer grained tracking, etc. Some, including myself, wonder at times about the necessity for such fine-grained access rights, but these are our requirements. There are really only two general options: 1) Carefully organize roles and combinations of roles and map to pre-created users for those combinations, limiting the combinations to some fixed, organized set. This is what MarkLogic supports without any extra work, or 2) Go completely dynamic as described above. We chose 2. I hope this was clear enough. David J. Steiner Principal Engineer [email protected] -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Geert Josten Sent: Tuesday, October 06, 2009 11:12 AM To: General Mark Logic Developer Discussion Subject: RE: [MarkLogic Dev General] Integration with single sign onanddirectory services? Hi David, > I agree that keeping the integration at the XCC level is > easier, but when roles/groups and their combinatorial mixes > grow too large across multiple applications, doing it > user-for-user becomes cleaner. Such is our case. Can you elaborate a bit more on what you mean by user-for-user, and combinatorial mixes, to make sure I understand what you mean correctly.. Kind regards, Geert Drs. G.P.H. Josten Consultant http://www.daidalos.nl/ Daidalos BV Source of Innovation Hoekeindsehof 1-4 2665 JZ Bleiswijk Tel.: +31 (0) 10 850 1200 Fax: +31 (0) 10 850 1199 http://www.daidalos.nl/ KvK 27164984 De informatie - verzonden in of met dit emailbericht - is afkomstig van Daidalos BV en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onbedoeld hebt ontvangen, verzoeken wij u het te verwijderen. Aan dit bericht kunnen geen rechten worden ontleend. _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general
