nesting groups requires schema change*
If we are supporting nested groups for the purpose of inheriting the access rights of a parent group, the Group datatype needs an isMemberOf element for efficiently building subjectInfo from a given subject.
Currently the parent group references the subgroup using hasMember element, but there is not a reference from the subgroup to the parent group. This is problematic because the starting point for building the SubjectInfo for a certificate is typically a Person subject. the Person.isMemberOf element allows traversal to Groups that they are directly members of, but if those groups are subgroups of other Groups, there's no reference to them.
CN.getSubjectInfo needs to traverse every registered group and subgroup to pick up parent Groups for a particular person (even if there aren't any, it needs to check).
#2 Updated by Dave Vieglais over 10 years ago
This does indeed appear to be a significant deficiency in the schema design, and precludes the use of nested groups.
Since this is a schema change, it will be necessary to defer until after initial release, which in turn implies that we should not directly support nested groups, however I do not believe there are any checks against groups containing group subjects.
#6 Updated by Dave Vieglais over 10 years ago
- translation missing: en.field_remaining_hours set to 0.0
- Target version deleted (
- Milestone changed from CCI-1.1 to None
This issue will require fairly wide spread changes.
Need to discuss and develop detailed specifications before implementing if necessary.