You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-user@portals.apache.org by Archana Turaga <ar...@intervoice.com> on 2004/02/15 02:44:52 UTC
Security questions
Hi,
The following questions:
1. What is the purpose of groups in jetspeed? Just like Role-based PSML is there group-based PSML?
2. What is really the meaning of owner-only security permission?
3. Is it possible to do Role-based PSML for a particular role? Suppose i want to have a set of users under the Role "Operator" to have role-based PSML and the users under "Admin" user-based PSML (if this is a vaild term)?
Trying to get these terms cleared so that i can come up with a clear security model for a project.
Thanks for your time and patience.
Regards,
Archana
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-user-help@jakarta.apache.org
RE: Security questions
Posted by Prasad A Navalimath <pr...@india.hp.com>.
Hi,
>>> 3. Is it possible to do Role-based PSML for a particular role? Suppose
>>> i want to have a set of users under the Role "Operator" to have
>>> role-based PSML and the users under "Admin" user-based PSML (if this
>>> is a vaild term)?
>
>Yes, your scenario is possible.
>Jetspeed first looks under the user-based PSML, if it fails to find a PSML
page for the user, it when then look under the (first) role.
But what I observed is if I change a anon user under role as user, and
remove the user/anon directory (especially no access to psml file of anon
user) completely. Then according to theory it should definitely try to
aproach role/user directory for the psml file. Though I have expicitly given
permision to anon as view. It gives me a error saying - "Error retreiving
portlet info" -- something similar wordings.
So I tried creating new user this time, I made the default security as my
own (wherein I have given view access for this user), assigned the user
role. Had the role-based access. And made this user as anonymous user. Still
it gives the same error as - "Error retreiving portlet info" -- something
similar wordings, actually I didn't had that screenshot in front of me
presently.
Can anybody point me where actually I am doing the mistake.
Thanks & regards,
Prasad.
-----Original Message-----
From: David Sean Taylor [mailto:david@bluesunrise.com]
Sent: Monday, 16 February, 2004 12:06
To: Jetspeed Users List
Subject: Re: Security questions
On Saturday, February 14, 2004, at 05:44 PM, Archana Turaga wrote:
> Hi,
> The following questions:
>
> 1. What is the purpose of groups in jetspeed? Just like Role-based
> PSML is there group-based PSML?
>
Groups represent a collection of users much in the same way groups are used
in operating systems.
Thus you can 'group' collections of users together in order to apply
security constraints to those users.
For example, you could create a constraint that granted view and customize
access to all users in group 'A', but only view access to group 'B'
Try playing around with the Security Browser portlet to get a feel for how
security constraints apply to groups, users and rules.
Also take a look at the authorization (AccessControl) API in Jetspeed
Security.
There are APIs for granting and revoking roles to users, and for users
joining and removing from groups.
Also, there are APIs fro granting and revoking roles in the context of a
group.
This is because Jetspeed tries to be flexible in its security model.
We support a user having different roles when they are in a different
groups.
A use case would be "Anne is the Project manager in Group A (which could be
a project), but she is Chief Engineer in Group B (another
project)
Thus groups could abstractly represent "projects" or "domains", or just
organizational groups.
Speaking of organizations, in J2 we plan to support hierarchies of roles and
groups.
If you don't need roles inside of groups, we have the global group concept.
The 'Jetspeed' is the global group, as reflected in the API.
This gives the possibility of organizing your security model with disjoint
(no) associations between roles and groups.
> 2. What is really the meaning of owner-only security permission?
>
This means that only the owner is granted access to a resource.
For example, a portlet on a page could be restricted to only the owner
customizing the portlet.
> 3. Is it possible to do Role-based PSML for a particular role? Suppose
> i want to have a set of users under the Role "Operator" to have
> role-based PSML and the users under "Admin" user-based PSML (if this
> is a vaild term)?
Yes, your scenario is possible.
Jetspeed first looks under the user-based PSML, if it fails to find a PSML
page for the user, it when then look under the (first) role.
>
> Trying to get these terms cleared so that i can come up with a clear
> security model for a project.
>
> Thanks for your time and patience.
>
> Regards,
> Archana
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: jetspeed-user-help@jakarta.apache.org
>
>
--
David Sean Taylor
Bluesunrise Software
david@bluesunrise.com
[office] +01 707 773-4646
[mobile] +01 707 529 9194
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-user-help@jakarta.apache.org
Re: Security questions
Posted by David Sean Taylor <da...@bluesunrise.com>.
On Saturday, February 14, 2004, at 05:44 PM, Archana Turaga wrote:
> Hi,
> The following questions:
>
> 1. What is the purpose of groups in jetspeed? Just like Role-based
> PSML is there group-based PSML?
>
Groups represent a collection of users much in the same way groups are
used in operating systems.
Thus you can 'group' collections of users together in order to apply
security constraints to those users.
For example, you could create a constraint that granted view and
customize access to all users in group 'A', but only view access to
group 'B'
Try playing around with the Security Browser portlet to get a feel for
how security constraints apply to groups, users and rules.
Also take a look at the authorization (AccessControl) API in Jetspeed
Security.
There are APIs for granting and revoking roles to users, and for users
joining and removing from groups.
Also, there are APIs fro granting and revoking roles in the context of
a group.
This is because Jetspeed tries to be flexible in its security model.
We support a user having different roles when they are in a different
groups.
A use case would be "Anne is the Project manager in Group A (which
could be a project), but she is Chief Engineer in Group B (another
project)
Thus groups could abstractly represent "projects" or "domains", or just
organizational groups.
Speaking of organizations, in J2 we plan to support hierarchies of
roles and groups.
If you don't need roles inside of groups, we have the global group
concept.
The 'Jetspeed' is the global group, as reflected in the API.
This gives the possibility of organizing your security model with
disjoint (no) associations between roles and groups.
> 2. What is really the meaning of owner-only security permission?
>
This means that only the owner is granted access to a resource.
For example, a portlet on a page could be restricted to only the owner
customizing the portlet.
> 3. Is it possible to do Role-based PSML for a particular role? Suppose
> i want to have a set of users under the Role "Operator" to have
> role-based PSML and the users under "Admin" user-based PSML (if this
> is a vaild term)?
Yes, your scenario is possible.
Jetspeed first looks under the user-based PSML, if it fails to find a
PSML page for the user, it when then look under the (first) role.
>
> Trying to get these terms cleared so that i can come up with a clear
> security model for a project.
>
> Thanks for your time and patience.
>
> Regards,
> Archana
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: jetspeed-user-help@jakarta.apache.org
>
>
--
David Sean Taylor
Bluesunrise Software
david@bluesunrise.com
[office] +01 707 773-4646
[mobile] +01 707 529 9194
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-user-help@jakarta.apache.org