Just as an idea... not that's it relevant: sentences like "permission of file smaller than...", "bigger than..." etc would make me consider combining discrete permissions together with spatial ones...
See examples here: https://github.com/cstamas/shiro-extras Thanks, ~t~ On Fri, Apr 1, 2011 at 9:18 AM, Avner Cohen <[email protected]> wrote: > Hi All, > > A question on the underline design of a complex (or is it?) authorization > mechanism. > > In a simple case, a user might have access to a folder, a file within this > folder and then "write" permission on it: > > "folder:file_name:write" > > One of the properties of the file is it's size (>1M), some user may have > permission to the file, only if it's smaller than 1M. > > One option is to add this criteria as a top level thing, I guess..: > "1M:folder..." > > But than, another property is relevant, what IP of SANs is the folder > existing in A, B or C (some user's might be entitled to see files >1M, but > only if it's in the A or B servers). > > So is that a further top level? > "IP:1M:folder:*" ? > > All in all, It might just be a simple design of permission exercise for > people with more experience on this, I'd appreciate thoughts or pointers on > how to go about designing this, and what would be the best place to store > the metadata eventually (Rational structure in DB, a file system?). > > > Many thanks, > Avner. >
