...
- Don't know if we can use a strict hierarchical model, but can use a mostly hierarchical model
One of the things we We want to assign permissions to is to network ports and VLANS. So a user can only modify a port if it's on a VLAN they have permission to.
Do we combine those things and have port to VLAN relationship or do we have each have the unit and have business logic, such as "if user X wants to do something they must have this priv AND this priv" ?
...
A couple of options. Depends on application situation.
1. Priv can be inherited from a parent resources with inheretance computed at runtime by navigating a permissions tree
OR
Alternate solution
2. Instantiate all privileges for all objects themselves so at runtime don't need to do a lot of computation
...