Forum OpenACS Development: XoTCL permissions

Collapse
1: XoTCL permissions
Posted by Malte Sussdorff on 09/08/07 07:07 AM
Before looking at the code to get a "yes / no" answer I wanted to ask this question and get some feedback on design decisions about XoTCL permissions.

My assumption would be that you register permission checks as filters on the class. Is this the case? If so, does the filter have a default name so it could be overwritten? At which class level does it apply?

I would further assume that (if we do it the filter way) we can have default filters for CURD functions on ACS object derived classes like these:

Update ($object_id save): translates into write on object_id
Delete ($object_id delete): translates into delete on object_id. Could inherit from write (at least I think that is how the current thinking works, that by default you can delete if you can write)
Retrieve ($object_id instantiate): translates into read
Create ($object_id save_new): translates into create. And here I am unsure how to model this due to the fact that on create we do not have permissions on the object.

So my understanding would be that we give permissions on the context_id, so if you have create permissions on the context_id you would be allowed to create the object. But don't we usually want to give create permissions on the Class / object type? I am aware that this goes right back to my question of revisiting the permission system and I will ask about it in more detail there.

The benefit of the default filters (something which is hard to model in pure TCL if I'm not mistaken) would be that we do not have to concern ourselves with writing permission::permission_p all over the place, which is neglected most of the time anyway.

Having the ability to overwrite them by class would also allow you to have a finer level of permissions. Additionally you could probably write a mixin class if you have your own permission system or if you want to check permissions through an external source.

I am thinking here of organizations that use already complex systems for Roles and permissions on roles and functionalities. If you sell them OpenACS, one of the questions is "Do we have to model our permissions in your system as well?" In larger organizations that can become a full time job. Therefore being able to write a "translator" class which can map the general permissions is a good thing.

Collapse
2: Re: XoTCL permissions (response to 1)
Posted by Gustaf Neumann on 09/08/07 11:29 AM
Malte, i am not sure what you mean by "XoTCL permissions". i have the impression that your are not talking about the policies in xowiki but about the design of a new permission management system. The first question would be the "what" and the second step the "how". If i would reconsider the security management of OpenACS, i would orient it in terminology and semantics on the NIST standard of RBAC. Following standards eases as well the communiication with larger organizations.

We did some work in this direction over the last years (see e.g. the following publication)_

G. Neumann, M. Strembeck: Design and Implementation of a Flexible RBAC-Service in an Object-Oriented Scripting Language, in: Proc. of the 8th ACM Conference on Computer and Communication Security (CCS), Philadelphia, USA, November, 2001. http://wi.wu-wien.ac.at/home/mark/publications/ccs01.pdf

The implementation is available from Mark Strembeck's home-page: http://wi.wu-wien.ac.at/home/mark/xoRBAC/index.html

Collapse
3: Re: XoTCL permissions (response to 2)
Posted by Malte Sussdorff on 09/08/07 04:55 PM
This is interesting, I will take a deeper look into that. Great.

The only thing I guess I was wondering about is if XoTCL Core provides a functionality to check by default the permissions on objects. Therefore, if I want to retrieve object_id 2345 it will first check if I have read permission before allowing me to access it.

In OpenACS this is not possible by default, I need to call "permission::permission_p -object_id 2345 -privilege read". My understanding was that this generic approach could be easily adopted in XoTCL, effectively leaving no object without permissions (by having the filter call permission::permission_p for me on all objects). Does this make more sense?

Thanks for the links, I will look into them in detail later this weekend. And yes you are right, I was not talking about the xowiki policies. Out of curiosity, why did you not base them on xoRBAC? Or should I first read the whole documentation before asking the question as you might have done so?