You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@continuum.apache.org by Brett Porter <br...@apache.org> on 2006/09/28 04:19:37 UTC

Re: security policies was: rbac-integration continuum branch

Forking a separate thread here.

On 28/09/2006, at 12:04 PM, Jesse McConnell wrote:

> on a related note and the heels of the last email....some things to  
> ponder
>
> There are a few policy decisions that I wanted to bring up for some  
> feedback...
>
> 1)  when a project group is added, should the 'Project Developer' role
> for that project automatically be assigned to the admin user?
>
> I think it should, since the admin is able to just go and grant it  
> anyway, but
> will that encourage making everyone and admin?  should that be an  
> option anyway?

I think it should. I don't think it would encourage making someone an  
admin.

>
> 2) when a project group is added, should the Project User role be
> granted to the guest user?
>
> I think so, but only if we are going to wrap these things behind
> authorization...
> which we really don't have to...which leads to following questions  
> I suppose

What is the project user role?

This one will depend on the system, really. I think maybe assigning  
it by default but allowing it to be removed (or making it  
configurable at the time of addition) is a good idea.

Do all users inherit the roles of the guest?

Maybe in this case the roles and permissions are getting mixed up.  
Really, when you start assigning roles to a guest user, aren't you  
saying that the project permissions should be open to everyone?

>
> 3) who should be granted the role that allows for adding projects to
> continuum? right now that is only the system administrator.
>
> Perhaps we make a Continuum Manager role as well that grants that kind
> of top lvl authorization without handing full sysad rights away...I
> kinda like that idea.

+1. This doesn't seem to be in place in the SVN version I'm using,  
BTW. The add project stuff appears to everyone.

>
> 4) how deep into continuum should the guest user be allowed?  should
> they have access to all levels of the project group information wise,
> just not able to twiddle any dials or knobs?

That's basically how it is configured now. I think it's good.

Cheers,
Brett