[ http://jira.jboss.com/jira/browse/JBRULES-428?page=comments#action_12341332 ] Michael Neale commented on JBRULES-428: --------------------------------------- NOTE: reading the JCR spec, you can assign permissions to individual nodes, so I guess we should use that, then the JCR container will enforce it. Also, the query API will also respect it. If this is that case, it would be better to use the out of the box stuff then re-implementing it. Refer to 6.6.1.2 of the JCR spec, and also 6.9. Some custom work may need to be done to setup the credentials mapping. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

[ http://jira.jboss.com/jira/browse/JBRULES-428?page=all ] Fernando Meyer reassigned JBRULES-428: -------------------------------------- Assignee: Fernando Meyer (was: Michael Neale) -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

[ http://jira.jboss.com/jira/browse/JBRULES-428?page=all ] Fernando Meyer updated JBRULES-428: ----------------------------------- Description: Rule nodes (at least) need to have an ACL: what groups can access it in what capacity. First need to have a structure for ACLs to be stored. They should be tied to user groups/roles, not individual logins. JAAS should provide the user name and the users context (group membership) I believe. When there is an ACL, it must be checked to see if the user (via their group membership) can do one of the following: Edit, change status, view, delete. If they can't view, ideally it will not be shown in any "lists", but if that is not feasable, it would be acceptable to list it, but not show the contents. Will need to be able to set permission from within an admin facility of the application. see http://wiki.jboss.org/wiki/Wiki.jsp?page=RulesRepositoryRoleAuthorization for more details was: Rule nodes (at least) need to have an ACL: what groups can access it in what capacity. First need to have a structure for ACLs to be stored. They should be tied to user groups/roles, not individual logins. JAAS should provide the user name and the users context (group membership) I believe. When there is an ACL, it must be checked to see if the user (via their group membership) can do one of the following: Edit, change status, view, delete. If they can't view, ideally it will not be shown in any "lists", but if that is not feasable, it would be acceptable to list it, but not show the contents. Will need to be able to set permission from within an admin facility of the application. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

[ http://jira.jboss.com/jira/browse/JBRULES-428?page=comments#action_12399386 ] Fernando Meyer commented on JBRULES-428: ---------------------------------------- We can use the get users from the JAAS what do you think? -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

[ http://jira.jboss.com/jira/browse/JBRULES-428?page=comments#action_12399388 ] Fernando Meyer commented on JBRULES-428: ---------------------------------------- Jackrabbit SimpleAccessManager class only supports three access levels: anonymous, normal, and system. I think I will need to implement a custom AccessManager class to get more advanced AC, implementing the AccessManager interface I think we can internally use the jboss security api to control that. @Anil, I've already spoken with Stefan about that, I'm taking a look into security's api -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

[ http://jira.jboss.com/jira/browse/JBRULES-428?page=all ] Mark Proctor updated JBRULES-428: --------------------------------- Assignee: Michael Neale (was: Fernando Meyer) -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

[ https://jira.jboss.org/browse/JBRULES-428?page=com.atlassian.jira.plugin.... ] Toni Rikkola updated JBRULES-428: --------------------------------- Parent: (was: JBRULES-684) Issue Type: Feature Request (was: Sub-task) -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira