Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
dev:acldesign [2008/04/14 12:01] fran Tidy-up |
dev:acldesign [2009/07/06 20:36] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | Main Author: [[http:// | + | Important Note: This page is DEPRECATED! |
+ | The new approach is documented here: | ||
+ | * [[security | Data Security and Privacy Design]] | ||
====== Introduction ====== | ====== Introduction ====== | ||
Line 24: | Line 26: | ||
The advanced user can directly specify the permissable actions for a user for each resource without relying on roles. | The advanced user can directly specify the permissable actions for a user for each resource without relying on roles. | ||
+ | |||
Line 62: | Line 65: | ||
cannot edit. | cannot edit. | ||
+ | [[acl|More complete Example]] | ||
Though the main resource we protect is the functions, the design allows | Though the main resource we protect is the functions, the design allows | ||
Line 67: | Line 71: | ||
not arisen so far. | not arisen so far. | ||
- | ====== Deep in to the design ====== | ||
- | from a technical point of view , there is an open source class phpGACL( http:// | ||
- | powerfull ACL capabilities. once you download phpGACL , in docs ,there is a very easy to understand manual ,i have attached it. | ||
- | just for your information GACL concept is | ||
- | there are resources/objects you need access | + | ====== Deep into the design ====== |
+ | This implementation is based on the open source class phpGACL: http:// | ||
+ | phpGACL has a very easy to understand manual, included in the download. | ||
- | there are requesters for these objects(e.g users): Access Request Objects (ARO) | + | GACL concept is: |
- | + | * There are resources/ | |
- | Then for fine grain control there are AXO' | + | * There are requesters for these objects (e.g users): Access Request Objects (ARO) |
+ | | ||
AXOs are identical to AROs in many respects. There is an AXO tree (separate from the ARO tree), with it's own Groups and AXOs. When dealing with AXOs, consider an AXO to take the old role of the ACO (i.e. " | AXOs are identical to AROs in many respects. There is an AXO tree (separate from the ARO tree), with it's own Groups and AXOs. When dealing with AXOs, consider an AXO to take the old role of the ACO (i.e. " | ||
ARO and ACO-only View: | ARO and ACO-only View: | ||
- | + | * AROs: Things requesting access | |
- | AROs: Things requesting access | + | |
- | + | ||
- | ACOs: Things to control access on | + | |
ARO, ACO and AXO View: | ARO, ACO and AXO View: | ||
- | + | * AROs: Things requesting access | |
- | AROs: Things requesting access | + | |
- | + | | |
- | ACOs: Actions that are requested | + | |
- | + | ||
- | AXOs: Things to control access on | + | |
Example: | Example: | ||
- | + | * A website manager is trying to manage access to projects on the website. The ARO tree consists of all the users: | |
- | A website manager is trying to manage access to projects on the website. The ARO tree consists of all the users: | + | |
Website | Website | ||
Line 132: | Line 129: | ||
The actions that can be taken with each project are " | The actions that can be taken with each project are " | ||
- | GACL provides a very easy to use API to specify ACO, ARO,AXO | + | GACL provides a very easy to use API to specify ACO, ARO, AXO. |
- | GACL is used by many popular sites.(dotProject, Mambo) | + | Once we verify the user identity |
- | see http:// | ||
- | therefore once we verify the user identity , we just need to call the API with the username(or role) , with the name of the resource and the action. | + | GACL is used by many popular projects |
- | + | * see http:// | |
- | it will output DENY or ALLOW. | + | |
+ | Main Author: [[http:// | ||