Skip to main content

Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.

Jump to: navigation, search

Difference between revisions of "HR Directory Access Control Policy"

(Notes)
 
(17 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{#eclipseproject:technology.higgins}}
+
{{#eclipseproject:technology.higgins|eclipse_custom_style.css}}
 
[[Image:Higgins_logo_76Wx100H.jpg|right]]
 
[[Image:Higgins_logo_76Wx100H.jpg|right]]
 +
Here is an example of the proposed Higgins/IdAS Access Control Policy for the "HR Directory" use case.
  
[[Image:Access-control-use-cases-hr-v2.png]]
+
[[Image:Hr5b.png]]
  
 
== Notes ==
 
== Notes ==
The above is a second (v2) attempt at modeling this use-case.  
+
The above is a third attempt at modeling this use-case. All outstanding issues have been addressed.
* A new diagramming style is used--it is more compact at representing the literal attributes of an Entity within a single rectangular box.
+
* A new diagramming style is used--it is more compact at representing the literal attributes of an Entity within a single rectangular box. The entire use case now fits on one diagram (just barely!)
* The entire use case now fits on one diagram (just barely!)
+
* The new ''groupSubject'' higgins:subject sub-attribute is now being used. This "tells" the Context that the subject for this policy is any subject that is a member of the stated Group (or any sub-group).
* The new ''group'' higgins:subject sub-attribute is now being used
+
* A new ''selfSubject'' boolean is now being used on the Policy to indicate that the implied subject is the Entity that represents the current IdAS consumer.
* A new ''selfInstanceOf'' higgins:subject sub-attribute is now being used
+
* The ''operation'' attribute of the Access Control policy is exclusively concerned with defining the "Entity" resource scope. It may or may not be further restricted to specific attribute types by the use of the ''onAttribute''  (see next bullet).
* See [[HOWL Update 1.1.104]] for related changes to support this use case
+
* The new "selfModify" higgins:operation sub-attribute is used to scope the resource in question for this policy to be the entity that represents current IdAS consumer.
 +
* A new attribute ''onAttribute'' is now being used. This attribute, if present, restricts the policy to apply only to attribute type(s) explicitly listed as its values.
  
The problem found last week remains. First some background. It seems clear that these two dimensions of "resource scoping" should be orthogonal:
+
* See [[HOWL Update 1.1.105]] and [[HOWL Update 1.1.104]] for related changes to support this use case
*# what Attribute type(s) the Policy is talking about
+
*# the set of Entities that the Policy is talking about
+
The problem is that ex:p[1-3]'s :read and :modify links all "point" to an Attribute type, but these links don't indicate what set of Entities we're talking about since one Attribute type may be used by N Entity classes.
+
  
 
==See Also==
 
==See Also==
* [[Access Control Use Cases]] - back to use cases
+
* [http://wiki.eclipse.org/Access_Control_Use_Cases#HR_directory (this) HR Directory use case]
 +
* all [[Access Control Use Cases]]

Latest revision as of 11:29, 14 September 2010

{{#eclipseproject:technology.higgins|eclipse_custom_style.css}}

Higgins logo 76Wx100H.jpg

Here is an example of the proposed Higgins/IdAS Access Control Policy for the "HR Directory" use case.

Hr5b.png

Notes

The above is a third attempt at modeling this use-case. All outstanding issues have been addressed.

  • A new diagramming style is used--it is more compact at representing the literal attributes of an Entity within a single rectangular box. The entire use case now fits on one diagram (just barely!)
  • The new groupSubject higgins:subject sub-attribute is now being used. This "tells" the Context that the subject for this policy is any subject that is a member of the stated Group (or any sub-group).
  • A new selfSubject boolean is now being used on the Policy to indicate that the implied subject is the Entity that represents the current IdAS consumer.
  • The operation attribute of the Access Control policy is exclusively concerned with defining the "Entity" resource scope. It may or may not be further restricted to specific attribute types by the use of the onAttribute (see next bullet).
  • The new "selfModify" higgins:operation sub-attribute is used to scope the resource in question for this policy to be the entity that represents current IdAS consumer.
  • A new attribute onAttribute is now being used. This attribute, if present, restricts the policy to apply only to attribute type(s) explicitly listed as its values.

See Also

Retrieved from "https://wiki.eclipse.org/index.php?title=HR_Directory_Access_Control_Policy&oldid=219905"

This page was last modified 11:29, 14 September 2010 by Eclipsepedia anonymous user Unnamed Poltroon.

Back to the top