Using dotLRN since 2003 we had many requests to limit access to communities given different criteria like only master students or students studying economy or only members of the department foo. As you can see the possibilities to limit access to a community are endless. And the usage of rules for other areas as well. Why not limit access to file storage give a rule or to forums or to any other privilege of any object?
So here is the basic idea:
Any object can provide its web service and must provide three methods:
1. return the xml schema for an instance of the object
2. return the possible discrete values for the objects attributes
3. return an instance of the schema given a unique id
Example: Student service:
1. schema:
<?xml version="1.0" encoding="utf-8" ?>
<student name="Student">
<program name="Program of Study" />
<degree name="Degree" />
<status name="Status" />
<terms name="Terms of Studying"/>
</student>
2. Attribute values, here just the data:
Master
Bachelor
...
3. An actual instance:
<?xml version="1.0" encoding="utf-8" ?>
<student>
<program>Economics</program>
<degree>Master</degree>
<status>active</status>
<terms>5</terms>
</student>
As you can see
- schema and instance only differ in the attribute "name" for an editor (more on that later)
- this design is limit to simple objects
- this design is limited to discrete attribute values.
Still - I can deal with a many scenarios thru this already.
Now imagine a service registry package where the site-wide admin can register given institutional services like the above and make them available to different packages like dotlrn, file-storage...
Now a community admin can inside his community define rules given an editor. The rules are stored in a repository both in a machine and human readable way. The machine syntax is xpath. Then the community admin publishs a rule to predefined events like membership requests for a community. We can implement this easily with callbacks or some other way.
Once the rule is active and a student wants to request membership for a community the rule is tested against the xml instance for that student and access is granted or not depending wether the rule results true or not. If access is denied the human readable text of the rule is presented the student as an explanation for the denial.
Of course one issue is performance. Therefore the service registry package provides the option to cache xml instances during a session or a given time.
With this solution we could extend OpenACS with a very flexible xml/xpath based rule engine.
As I mentioned there are some limitations in the design that could be improved in the future. The biggest benefit I see is that you can define any rule you want simply by registering an institution specific service that resist outside of OpenACS.
The most important part is the editor. Since we cannot expect from users to know xpath it must be able to create that query on the fly displaying the human readable code.
Here a screen shot of a quick hack I developed:
https://dotlrn.uni-mannheim.de/screenshot.gif
Unfortunately it is in german but you will get the idea from the generated xpath query.
It wouldn't be too difficult to even allow the combination cross service rules where ids are equivalent.
For instance:
all students who study computer science and have posted more than 100 messages in forums.