Don, I was going to agree with you on the one implies many point, but I think that there may be a slight difference. I keep wanting to think of some sort of tree structure. The one descendant case is a special case of multiple descendants. I think the main problem I have with this system is that it is mimicing a hierarchy. For instance does LDAP work by assigning every possible privilege? I don't think so. Instead it (probably) works its way up from the bottom looking for a right. A few, maybe a number, of targeted queries are made to determine access rights. If the system is simple, the number is limited, but I would guess that the number rises very slowly in relation to database size. I'm just wondering: is it that difficult to generalize the logic of 'who can do what to this'?
Maybe a better place to start is with other systems. What is possible, how do they do this type of thing? The OACS assumes infinite complex groupings, and makes everyone pay for it up front. From my experience, this works for large systems if you only check one permission per page. To me this resulted from good (hehe, my) design, but actually I have only worked with relatively well defined systems. I think the designers invisioned a hurd of managers constantly asking for this or that: 'Can you do that while scratching your ear?'. Although it is nice to think in the abstract, it is also nice to have a fast system. Which one do you think users will notice first?
Oh, Don, I think we are pretty much having the same problem: it works, but it looks weird, something just isn't right. I like the sound of scoping, but I'm not sure how that exactly works. Maybe something similar to the security_inherit_p flag for the context_id thing? Not really I guess. More like scoping in acs 3.x? I also like the idea of starting a new privilege tree.
