Hi All,
A question on the underline design of a complex (or is it?) authorization
mechanism.
In a simple case, a user might have access to a folder, a file within this
folder and then "write" permission on it:
"folder:file_name:write"
One of the properties of the file is it's size (>1M), some user may have
permission to the file, only if it's smaller than 1M.
One option is to add this criteria as a top level thing, I guess..:
"1M:folder..."
But than, another property is relevant, what IP of SANs is the folder existing
in A, B or C (some user's might be entitled to see files >1M, but only if it's
in the A or B servers).
So is that a further top level?
"IP:1M:folder:*" ?
All in all, It might just be a simple design of permission exercise for people
with more experience on this, I'd appreciate thoughts or pointers on how to go
about designing this, and what would be the best place to store the metadata
eventually (Rational structure in DB, a file system?).
Many thanks,
Avner.
