You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@continuum.apache.org by Brett Porter <br...@apache.org> on 2006/09/28 04:19:37 UTC
Re: security policies was: rbac-integration continuum branch
Forking a separate thread here.
On 28/09/2006, at 12:04 PM, Jesse McConnell wrote:
> on a related note and the heels of the last email....some things to
> ponder
>
> There are a few policy decisions that I wanted to bring up for some
> feedback...
>
> 1) when a project group is added, should the 'Project Developer' role
> for that project automatically be assigned to the admin user?
>
> I think it should, since the admin is able to just go and grant it
> anyway, but
> will that encourage making everyone and admin? should that be an
> option anyway?
I think it should. I don't think it would encourage making someone an
admin.
>
> 2) when a project group is added, should the Project User role be
> granted to the guest user?
>
> I think so, but only if we are going to wrap these things behind
> authorization...
> which we really don't have to...which leads to following questions
> I suppose
What is the project user role?
This one will depend on the system, really. I think maybe assigning
it by default but allowing it to be removed (or making it
configurable at the time of addition) is a good idea.
Do all users inherit the roles of the guest?
Maybe in this case the roles and permissions are getting mixed up.
Really, when you start assigning roles to a guest user, aren't you
saying that the project permissions should be open to everyone?
>
> 3) who should be granted the role that allows for adding projects to
> continuum? right now that is only the system administrator.
>
> Perhaps we make a Continuum Manager role as well that grants that kind
> of top lvl authorization without handing full sysad rights away...I
> kinda like that idea.
+1. This doesn't seem to be in place in the SVN version I'm using,
BTW. The add project stuff appears to everyone.
>
> 4) how deep into continuum should the guest user be allowed? should
> they have access to all levels of the project group information wise,
> just not able to twiddle any dials or knobs?
That's basically how it is configured now. I think it's good.
Cheers,
Brett