You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by "Ate Douma (JIRA)" <je...@portals.apache.org> on 2008/06/03 14:54:44 UTC
[jira] Created: (JS2-873) Simplified parent-child relationship
model for Roles and Groups
Simplified parent-child relationship model for Roles and Groups
---------------------------------------------------------------
Key: JS2-873
URL: https://issues.apache.org/jira/browse/JS2-873
Project: Jetspeed 2
Issue Type: New Feature
Components: Admin Portlets, Security
Affects Versions: 2.2
Reporter: Ate Douma
Fix For: 2.2
The current Jetspeed security role/group model *technically* supports a hierarchical relationship.
In practice though, this isn't used really, nor do the j2-admin portlets support it through the UI.
Furthermore, the hierarchical relationship is based on a specific (preferences) hierarchy naming which really doesn't fit well (better said: not at all) with a backend like LDAP.
The current model simply cannot be used with LDAP for using role-group relationships.
A typical use-case requiring a more simple and straighforward solution:
- defining organisation divisions and subdivisions as groups and defining a parent-child relationship between them
- a user belonging to a division group then also belongs to any subdivision group of that division
- the same goes for roles, the user could automatically inherit the roles assigned to the subdivision group.
As AFAIK the hierarchical relationship model isn't used at all right now, this issue will resolve its complexity and limitation by replacing it with "flat" parent-child relationships:
- only support non-hierarchical groups and roles
- allow a group or role needs to be defined as child of another group or role
- just need a security-role-role and security-group-group table (and corresponding LDAP mapping)
- check/enforce no circular references can be created
- adding UI support for this will be rather easy: we already have support for the group-role relationships, this is just more of the same
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
[jira] Commented: (JS2-873) Simplified parent-child relationship
model for Roles and Groups
Posted by "Ate Douma (JIRA)" <je...@portals.apache.org>.
[ https://issues.apache.org/jira/browse/JS2-873?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12626924#action_12626924 ]
Ate Douma commented on JS2-873:
-------------------------------
Work for the issues JS2-870, JS2-872 and JS2-873 will commence in the separate security-refactoring branch (branched off the JS2-869 branch).
> Simplified parent-child relationship model for Roles and Groups
> ---------------------------------------------------------------
>
> Key: JS2-873
> URL: https://issues.apache.org/jira/browse/JS2-873
> Project: Jetspeed 2
> Issue Type: New Feature
> Components: Admin Portlets, Security
> Affects Versions: 2.2
> Reporter: Ate Douma
> Assignee: Ate Douma
> Fix For: 2.2
>
> Original Estimate: 120h
> Remaining Estimate: 120h
>
> The current Jetspeed security role/group model *technically* supports a hierarchical relationship.
> In practice though, this isn't used really, nor do the j2-admin portlets support it through the UI.
> Furthermore, the hierarchical relationship is based on a specific (preferences) hierarchy naming which really doesn't fit well (better said: not at all) with a backend like LDAP.
> The current model simply cannot be used with LDAP for using role-group relationships.
> A typical use-case requiring a more simple and straighforward solution:
> - defining organisation divisions and subdivisions as groups and defining a parent-child relationship between them
> - a user belonging to a division group then also belongs to any subdivision group of that division
> - the same goes for roles, the user could automatically inherit the roles assigned to the subdivision group.
> As AFAIK the hierarchical relationship model isn't used at all right now, this issue will resolve its complexity and limitation by replacing it with "flat" parent-child relationships:
> - only support non-hierarchical groups and roles
> - allow a group or role needs to be defined as child of another group or role
> - just need a security-role-role and security-group-group table (and corresponding LDAP mapping)
> - check/enforce no circular references can be created
> - adding UI support for this will be rather easy: we already have support for the group-role relationships, this is just more of the same
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
[jira] Resolved: (JS2-873) Simplified parent-child relationship
model for Roles and Groups
Posted by "Ate Douma (JIRA)" <je...@portals.apache.org>.
[ https://issues.apache.org/jira/browse/JS2-873?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ate Douma resolved JS2-873.
---------------------------
Resolution: Fixed
The brand new portal trunk (copied over from the security-refactoring branch) now provides a new and (extremely) flexible, extendable and pluggable Principal Associations solution
which provides all the features described, and then some :)
> Simplified parent-child relationship model for Roles and Groups
> ---------------------------------------------------------------
>
> Key: JS2-873
> URL: https://issues.apache.org/jira/browse/JS2-873
> Project: Jetspeed 2
> Issue Type: New Feature
> Components: Admin Portlets, Security
> Affects Versions: 2.2
> Reporter: Ate Douma
> Assignee: Ate Douma
> Fix For: 2.2
>
> Original Estimate: 120h
> Remaining Estimate: 120h
>
> The current Jetspeed security role/group model *technically* supports a hierarchical relationship.
> In practice though, this isn't used really, nor do the j2-admin portlets support it through the UI.
> Furthermore, the hierarchical relationship is based on a specific (preferences) hierarchy naming which really doesn't fit well (better said: not at all) with a backend like LDAP.
> The current model simply cannot be used with LDAP for using role-group relationships.
> A typical use-case requiring a more simple and straighforward solution:
> - defining organisation divisions and subdivisions as groups and defining a parent-child relationship between them
> - a user belonging to a division group then also belongs to any subdivision group of that division
> - the same goes for roles, the user could automatically inherit the roles assigned to the subdivision group.
> As AFAIK the hierarchical relationship model isn't used at all right now, this issue will resolve its complexity and limitation by replacing it with "flat" parent-child relationships:
> - only support non-hierarchical groups and roles
> - allow a group or role needs to be defined as child of another group or role
> - just need a security-role-role and security-group-group table (and corresponding LDAP mapping)
> - check/enforce no circular references can be created
> - adding UI support for this will be rather easy: we already have support for the group-role relationships, this is just more of the same
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
[jira] Assigned: (JS2-873) Simplified parent-child relationship
model for Roles and Groups
Posted by "Ate Douma (JIRA)" <je...@portals.apache.org>.
[ https://issues.apache.org/jira/browse/JS2-873?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ate Douma reassigned JS2-873:
-----------------------------
Assignee: Ate Douma
> Simplified parent-child relationship model for Roles and Groups
> ---------------------------------------------------------------
>
> Key: JS2-873
> URL: https://issues.apache.org/jira/browse/JS2-873
> Project: Jetspeed 2
> Issue Type: New Feature
> Components: Admin Portlets, Security
> Affects Versions: 2.2
> Reporter: Ate Douma
> Assignee: Ate Douma
> Fix For: 2.2
>
> Original Estimate: 120h
> Remaining Estimate: 120h
>
> The current Jetspeed security role/group model *technically* supports a hierarchical relationship.
> In practice though, this isn't used really, nor do the j2-admin portlets support it through the UI.
> Furthermore, the hierarchical relationship is based on a specific (preferences) hierarchy naming which really doesn't fit well (better said: not at all) with a backend like LDAP.
> The current model simply cannot be used with LDAP for using role-group relationships.
> A typical use-case requiring a more simple and straighforward solution:
> - defining organisation divisions and subdivisions as groups and defining a parent-child relationship between them
> - a user belonging to a division group then also belongs to any subdivision group of that division
> - the same goes for roles, the user could automatically inherit the roles assigned to the subdivision group.
> As AFAIK the hierarchical relationship model isn't used at all right now, this issue will resolve its complexity and limitation by replacing it with "flat" parent-child relationships:
> - only support non-hierarchical groups and roles
> - allow a group or role needs to be defined as child of another group or role
> - just need a security-role-role and security-group-group table (and corresponding LDAP mapping)
> - check/enforce no circular references can be created
> - adding UI support for this will be rather easy: we already have support for the group-role relationships, this is just more of the same
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org