> If I understood you correctly I think it is a good > idea. Are you saying that the application could: > > 1. Determine the permissions a Subject has to an > object. In this case the permission set is ALL the > permissions for ALL the principals associated with the > Subject. > > 2. Determine the permissions a Principal has to an > object.
I didn't see number 2 anywhere. > How would the Security Manager deal with two > principals having conflicting permissions - e.g. Role > A has grant X permission and Role B has deny X > permission. As there is no role hierarchy across the > principals I am not sure how one would handle this ? > > I was also wondering how organization is handled ? > For example Subject M1 has role Manager. Subjects > W11, W12, W13... have role Worker. Only Manager M1 is > authorized to perform some actions on entities for > which they are the owner. I believe our current model only considers "grant" permissions. > - viraf -- Gonzalo A. Diethelm [EMAIL PROTECTED] -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
