Re: [Exist-development] Proposal to change security design of groups

[Dmitriy S. <sha...@gm...>]

On Tue, Sep 28, 2010 at 1:47 PM, Adam Retter <ad...@ex...> wrote:

> On 28 September 2010 09:42, Thomas White <tho...@gm...> wrote:
> > On 27 September 2010 16:12, Adam Retter <ad...@ex...> wrote:
> >>
> >> >>2) Any user can remove themselves from any group they choose - I
> >> >>cannot think of a case where downgrading a users rights prevents a
> >> >>security risk. This is the users right!
> >> > I did mail before, we must agree on terms we going to use. 'owner' is
> >> > quite
> >> > good, but limited. My offer: group's 'manager'
> >>
> >> Owner or manager really makes no difference to me. In English it would
> >> seem to me that 'owner' is the more accurate and succinct term.
> >>
> >> > (can change members list &
> >> > permissions for group, it can be 2 different roles ) & 'member' (use
> >> > group's
> >> > permissions). It simple to see that there can be person that can
> manage,
> >> > but
> >> > have no access for resources.
> >>
> >>
> >> I am not clear on why a group would have 'permissions'? Surely
> >> collections and resources have permissions in terms of owner and
> >> group, but not the group object itself.
> >
> >
> > Adam, I think Dmitriy is proposing a model where there is a clear
> separation
> > between being a member of a group and managing the group itself. I quite
> > like the idea and it takes care of a common case from the practice.
> >
> > Example: An admin who manages the group of CEO users does not need to
> have
> > access to the confidential reports in a collection, available to the
> members
> > of this group.
>
> Dmitriy is that the case? If so you explanation has made this much
> more understandable for me, thanks :-)
>

Eхplanation is my weakness :-)

Of course this is what CEO's want,  but in my experience the admin can
> always access absolutely anything if he or she wants to ;-)


I'm admin, but I don't have time to do all staff after all. So, it's more of
job sharing ...


> > When we discuss eXist security matters I think it is high time to start
> > looking at it from a slightly bigger perspective. Imagine a company of
> 1000
> > employees where to have one admin user that does it all is nor neither
> > possible nor practical . There will be teams of admins dealing with
> variety
> > of jobs across the teams and departments.
> >
> > Thomas
> >
> >
> >
> >>
> >> --
> >> Adam Retter
> >>
> >> eXist Developer
> >> { United Kingdom }
> >> ad...@ex...
> >> irc://irc.freenode.net/existdb
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Start uncovering the many advantages of virtual appliances
> >> and start using them to simplify application deployment and
> >> accelerate your shift to cloud computing.
> >> http://p.sf.net/sfu/novell-sfdev2dev
> >> _______________________________________________
> >> Exist-development mailing list
> >> Exi...@li...
> >> https://lists.sourceforge.net/lists/listinfo/exist-development
> >
> >
>
>
>
> --
> Adam Retter
>
> eXist Developer
> { United Kingdom }
> ad...@ex...
> irc://irc.freenode.net/existdb
>



-- 
Dmitriy Shabanov