Story #1619
Revise AccessPolicy and AccessRule
100%
Subtasks
History
#1 Updated by Dave Vieglais almost 13 years ago
The current definition of AccessPolicy and AccessRule is confusing as an AccessRule can have multiple subjects, permissions, and target resources, and a given object may have multiple AccessPolicies which contain multiple AccessRule instances.
Would like to redefine AccessRule to be:
<xs:complexType name="AccessRule">
<xs:sequence>
<xs:element name="subject" type="d1:Subject"
minOccurs="1" maxOccurs="unbounded" />
<xs:element name="permission" type="d1:Permission"
minOccurs="1" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
That is, removing the resource (since this is defined by the SystemMetadata containing the AccessPolicy that contains the AccessRule).
This enables a clear expression of the rules that apply to any given object, since the rules always apply to the containing system metadata document.
(note: previous description included a change to a single permission entry per access rule. This suggestion has been dropped so that a single AccessRule can for example state that Tom, Dick, and Harry have READ and WRITE access on some object)
#2 Updated by Dave Vieglais almost 13 years ago
- Assignee set to Dave Vieglais
#3 Updated by Dave Vieglais almost 13 years ago
- Category set to Authentication, Authorization
#4 Updated by Dave Vieglais almost 13 years ago
- Status changed from New to Closed
Closed with r3990.
