[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
No Subject

The following are some issues that I think should be addressed.

I. Should HRAC understand application data/functionality?

I propose that HRAC should have no understanding of application 
functionality or data.

II. What is a resource?

I propose that a resource is whatever an application defines it to be.

III. What is a resource name?

I propose that it is an identifier for an application defined resource. Its 
format may be as simple as: 
type sequence<string> ResourceName;

IV. What is resource metadata?

I propose that resource metadata is data that describes a resource. Note: 
"describes" does not mean provides the value of the resource. I suggest 
that HRAC has no requirement to maintain, obtain, or use this meta data. If 
it exists or is used, it is strictly an application issue.

V. What information does an application pass to the decision maker logic?

I propose that it pass: 
1. A resource name 
2. An operation name 
3. A User Credential (collection of attributes(principal, group, roles))

VI. What is the format of an operation?

I propose that it can be as simple as: 
typedef string Operation;

VII. How are rules specified?

I propose that each ResourceName-Operation pair has the following 
assoicated with it: 
1. One or more credential attributes 
2. A sequence of time-pairs
Permission is granted if "any" of the user credential attributes match 
"any" of the associated credential attributes and the current time does not 
fall in one of the time-pairs period of time.
If resources are used in a hierarchial fashion, that is, the resource name 
has more than one name in it's sequence, then subsetting of rules should be 
enforced.
One might want to further define something called a policy object that 
would be a matrix of operations x attributes. The policy object could have 
a name an be used in the future without rebuilding the matrix.

VIII. What else is needed?

I propose as little as possible. Some examples might be:
1. Callback mechanism for rules changes. 
2. Interface to defining resources/rules. 
3. More complexity in Resourse Name, perhaps to indicate resource types,
etc.




_________________________________________________________
Carol Burt                                             2AB, Inc.
cburt@2ab.com                                     Integration Architects
205-621-7455                                        www.2ab.com
Member, OMG Architecture Board          OMG Domain Member

   --  integrating yesterday's systems with today's technology --
----------------
Broadcast message to hrac-rfp from Carol Burt <cburt@2ab.com>.
Go to http://cadse.cs.fiu.edu/omg/hrac-rfp to browse the mail list archive.
Prev by Date: Issues
Next by Date: update list of issues
Prev by thread: No Subject
Next by thread: No Subject
Index(es):
- Date
- Thread