[alf-req] Do roles play a role in the ALF runtime?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[alf-req] Do roles play a role in the ALF runtime?

From: "Kelly Shaw" <kshaw@xxxxxxxxxx>
Date: Thu, 1 Sep 2005 07:39:36 -0700
Delivered-to: alf-req@xxxxxxxxxxx
List-archive: <http://eclipse.org/pipermail/alf-req>
List-help: <mailto:alf-req-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/alf-req>, <mailto:alf-req-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/alf-req>, <mailto:alf-req-request@eclipse.org?subject=unsubscribe>
Thread-index: AcWvAvmNKSo5z6IdT5aVflqqfGV5pg==
Thread-topic: Do roles play a role in the ALF runtime?

All,

We left off yesterday's discussions about roles with no clear understanding of what role roles play within ALF. I would like to offer up the following to start off the debate:

Thesis: Roles play no official role in the ALF runtime.

Why?

First, we already decided that ALF would not provide any user management except through an SPI. Without users, how do we assign roles? Where do we manage roles? How do we use roles?

Second, it is unlikely that tool vendors will delegate security and permissions checking to ALF. Thus ALF roles, if they exist, can be descriptive, but not prescriptive. If this is the case, then ALF roles are an unnecessary complexity within ALF and should be shaved away, at least for the first release.

I would like to propose that we delegate role administration to the same SPI that will allow central user authentication. The SPI plug-in can include role information associated with a user's credentials if it is so implemented, and the tools within a service flow can make use of that role information if they are so configured, but officially, roles play no part in the ALF runtime. Note that WS-Security supports this usage.

That said, we do need some sort of permissions checking for the ALF administrator, else anyone would be able to publish a service flow. We could delegate administrative permission checking to another SPI, and provide simple userid/password checking in the example implementation. Then ALF would be completely out of the userid/role/permission/authorization business. At least for the first release.

Please, everyone, let's get arguing!

shaw

Kelly Shaw

Sr. Product Marketing Manager

Serena Software

719-457-8811

**********************************************************************

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

Prev by Date: [alf-req] Alf Requirements Committee Meeting Announcement 9/7/2005
Next by Date: RE: [alf-req] Do roles play a role in the ALF runtime?
Previous by thread: [alf-req] Alf Requirements Committee Meeting Announcement 9/7/2005
Next by thread: RE: [alf-req] Do roles play a role in the ALF runtime?
Index(es):
- Date
- Thread

Breadcrumbs