[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
[alf-req] Do roles play a role in the ALF runtime?
|
All,
We left off
yesterday's discussions about roles with no clear understanding of what role
roles play within ALF. I would like to offer up the following to start off the
debate:
Thesis:
Roles play no official role in the ALF runtime.
Why?
First, we already
decided that ALF would not provide any user management except through an SPI.
Without users, how do we assign roles? Where do we manage roles? How do we use
roles?
Second, it is
unlikely that tool vendors will delegate security and permissions checking to
ALF. Thus ALF roles, if they exist, can be descriptive, but not prescriptive. If
this is the case, then ALF roles are an unnecessary complexity within ALF and
should be shaved away, at least for the first release.
I would like to
propose that we delegate role administration to the same SPI that will allow
central user authentication. The SPI plug-in can include role information
associated with a user's credentials if it is so implemented, and the tools
within a service flow can make use of that role information if they are so
configured, but officially, roles play no part in the ALF runtime. Note that
WS-Security supports this usage.
That said, we do
need some sort of permissions checking for the ALF administrator, else anyone
would be able to publish a service flow. We could delegate administrative
permission checking to another SPI, and provide simple userid/password checking
in the example implementation. Then ALF would be completely out of the
userid/role/permission/authorization business. At least for the first
release.
Please, everyone,
let's get arguing!
shaw
Kelly Shaw
Sr. Product Marketing
Manager
Serena Software
719-457-8811
**********************************************************************
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.