[security-dev] IDM Realms and Applications - The Nitty Gritty
Shane Bryzak
sbryzak at redhat.com
Thu Nov 15 20:39:05 EST 2012
On 11/16/2012 11:19 AM, Shane Bryzak wrote:
> On 11/16/2012 10:33 AM, Bill Burke wrote:
>> On 11/15/2012 4:55 PM, Shane Bryzak wrote:
>>> On 11/16/2012 06:25 AM, Bill Burke wrote:
>>>> I don't think your design incorporates the idea of a distributed
>>>> application: a set of services and websites that makes up one
>>>> application. In other words the fun SOA buzzword.
>>> Even the latest design?
>>>
>>>> In my mind, you have a bunch of distributed services. Each service may
>>>> or may not have its own roles and role mappings. A user is allowed to
>>>> execute on a set of services and those services may call other services.
>>>> For example: a user may interact solely with Website A, but Website A
>>>> may need to interact with other services.
>>>>
>>>> So, the actors would be Realm, Applications, Services, Users.
>>> I'd like to see a specific example demonstrating this use case. Would it
>>> be possible for the services that make up a single application to simply
>>> share the roles defined by that application? Adding yet another layer to
>>> the current design is going to really complicate things further.
>>>
>> A user might be "admin" for one service, but not "admin" for a different
>> service. Service "A" might want to invoke on Service "B" on behalf of
>> the user. Doesn't that have to be conveyed in the model somehow?
>>
>> Bill
>>
> Maybe what we really need to do is find another name for the abstraction
> that we're currently referring to as Application. The only reason we
> currently have Applications is to support application-specific roles,
> which is exactly what you're suggesting we do for Services.
Actually, how about we just introduce a new, hierarchical abstraction
which we call "Tier", and allow roles to be granted at various levels.
This way, the application could be modelled as a parent tier, and
services could be modelled as sub-tiers of the application. Roles
granted at the parent tier level would automatically become inherited by
the sub-tier, so at the application tier you could grant general roles,
then for each service tier you could grant more specific roles. Would
that work?
More information about the security-dev
mailing list