Date: Thu, 28 Mar 2024 16:14:05 +0000 (UTC) Message-ID: <805491910.6631.1711642445792@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_6630_207982627.1711642445790" ------=_Part_6630_207982627.1711642445790 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Todd from University of Illinois reported out on this hi= erarchy breakout:
The group started talking about University of Illinois at Urbana-C= hampaign.
Case: Developing authorization system for networking ob= jects such as switchers, ports, routers, VLANS.
Have database system that contains that for the campus networks. Need to= authorize campus users to query the info they need. Using groups as grante= es. Privileges are create, update, read.
Important Question:
- is there an accepted model for how to assign these priv?
- where should the business logic reside?
- where is the most appropriate place to put this logic?
- How should inheritance and potential collisions be handled?
A lot of what was covered the 1st couple of days of this CAMP was very i= mportant.
We want to assign permissions to network ports and VLANS. So= a user can only modify a port if it's on a VLAN they have permission to.= p>
Do we combine those things and have port to VLAN relationship or do we h= ave each have the unit and have business logic, such as "if user X wants to= do something they must have this priv AND this priv" ?
Consensus is to assign priv to objects themselves. Have business logic n= avigate the relationships.
How to navigate the inheretance of the privileges themselves?
A couple of options. Depends on application situation.
1. Priv can be inherited from a parent resources with inheretance comput= ed at runtime by navigating a permissions tree
OR
Alternate solution
2. Instantiate all privileges for all objects themselves so at runtime d= on't need to do a lot of computation
But when there's an update, then the business logic needs to recalibrate= for child objects
1. it's on query time
and
2 it's on update time
PaulH: It sounds like inheritance is applied to resources. In perMIT, in= heritance is applied to the scope, not the resource. It's more about the da= ta.
Todd: in our case at Univ. of Illinois, there is a Layer 3 n= etwork and there are VLANs that are a part of that. Ports on that VLAN.
Model says "this VLAN is in this network." Inheretence could be such tha=
t we assign privilege to the network so that
privilege cascades.