Menu
▾
▴
Re: [Exist-development] Proposal to change security design of groups
|
From: Adam R. <ad...@ex...> - 2010-09-28 08:47:47
|
On 28 September 2010 09:42, Thomas White <tho...@gm...> wrote:
> On 27 September 2010 16:12, Adam Retter <ad...@ex...> wrote:
>>
>> >>2) Any user can remove themselves from any group they choose - I
>> >>cannot think of a case where downgrading a users rights prevents a
>> >>security risk. This is the users right!
>> > I did mail before, we must agree on terms we going to use. 'owner' is
>> > quite
>> > good, but limited. My offer: group's 'manager'
>>
>> Owner or manager really makes no difference to me. In English it would
>> seem to me that 'owner' is the more accurate and succinct term.
>>
>> > (can change members list &
>> > permissions for group, it can be 2 different roles ) & 'member' (use
>> > group's
>> > permissions). It simple to see that there can be person that can manage,
>> > but
>> > have no access for resources.
>>
>>
>> I am not clear on why a group would have 'permissions'? Surely
>> collections and resources have permissions in terms of owner and
>> group, but not the group object itself.
>
>
> Adam, I think Dmitriy is proposing a model where there is a clear separation
> between being a member of a group and managing the group itself. I quite
> like the idea and it takes care of a common case from the practice.
>
> Example: An admin who manages the group of CEO users does not need to have
> access to the confidential reports in a collection, available to the members
> of this group.
Dmitriy is that the case? If so you explanation has made this much
more understandable for me, thanks :-)
Of course this is what CEO's want, but in my experience the admin can
always access absolutely anything if he or she wants to ;-)
> When we discuss eXist security matters I think it is high time to start
> looking at it from a slightly bigger perspective. Imagine a company of 1000
> employees where to have one admin user that does it all is nor neither
> possible nor practical . There will be teams of admins dealing with variety
> of jobs across the teams and departments.
>
> Thomas
>
>
>
>>
>> --
>> Adam Retter
>>
>> eXist Developer
>> { United Kingdom }
>> ad...@ex...
>> irc://irc.freenode.net/existdb
>>
>>
>> ------------------------------------------------------------------------------
>> Start uncovering the many advantages of virtual appliances
>> and start using them to simplify application deployment and
>> accelerate your shift to cloud computing.
>> http://p.sf.net/sfu/novell-sfdev2dev
>> _______________________________________________
>> Exist-development mailing list
>> Exi...@li...
>> https://lists.sourceforge.net/lists/listinfo/exist-development
>
>
--
Adam Retter
eXist Developer
{ United Kingdom }
ad...@ex...
irc://irc.freenode.net/existdb
|
