Hi, In my application I use Apache directory Server - but the application should be pluggable with any other directory - and the triplesec api to manage authentication and authorization. With this combination I can add a grant to a role without having to define the related permission. I know it's not possible with a full triplesec solution but it's something I'm looking for because I need to add dynamic grants. It means an application admin (or a user which is able to add grants to another user) could build a grant. For instance: "viewjob JOB" - the user is able to see the job JOB "viewjob *" - the user is able to see all the jobs or more complicated "viewjob *[status='SUCCESS']" - view all the job with success status. So this kind of permission can't already exist, or be created on the fly without a complex permission management: - if the permission don't already exist -> create a new one - if the grant is removed -> delete the permission or another user have this permission? - if the grant is rename -> remove the permission and create a new one, or just rename the permission?
So my questions are: - Is it possible to use triplesec api (guardian and admin) without using the triplesec server. For instance, can I use the guardian api with a OpenLdap server? - is it possible to add grants to a role (or a profile) without having to define a related permission? Regards, Mathieu
