[stellation-res] Access Control Lists

["Jonathan Gossage" <jgossage@xxxxxxxx>]

I have had a look at the spec and I have a number of thoughts.

1. I think you can simplify the UML diagram and hence the underlying model
by removing "Permission Grant". In this view a "privelege Set" would grant
privileges directly to an "Access Control Group" and an "Access Control
Entry" in an ACL would directly grant access to a controlled object
(Repository, Branch or Access Control Group). To me the relationship between
"Privilege Set" and "Access Control Group" should be one of containment and
the granting relationship should exist directly between an ACE and a "Access
Control Group".

I would consider providing a seperate ACL for each repository object to be
protected. This would yield a 1:1 relationship between an ACL and a single
controlled object.

2. I like the concept of inherited privileges. It nicely allows an
organization to support a open policy where most privileges are granted by
default or a restrictive policy where privileges are only granted on an as
needed basis.

3. I think that you will need the following capabilities in the API that
grants access to controlled object for groups.

	a) Add a specified list of "Access Control Groups" to an ACL.
	b) Add all but a specified list of "Access Control Groups" to an ACL.
	c) Remove a specified list of "Access Control Groups" from an ACL
	d) Remove all but a specified list of "Acccess Control Groups" from an ACL.

It is essential that a remove operation does not result in a situation where
there is no group with the privilege to modify the ACL.

4. I would describe the set of privileges that a individual user has on a
specific controlled object as follows.

	a) Compute the intersection of the user and the "Access Control Groups" in
the ACL controlling an  	   object.
	b) Compute the union of the privileges granted by the ACG's in the
intersection.

Regards

Jonathan

Personal Email
jgossage@xxxxxxxx

Business Email
jonathan@xxxxxxxxxxxxxx