« Are they quite mad? | Main | Stop working on the semantic web »

fine grained access control: yes it's messy

Sean McGrath, CTO, Propylon

I've been playing around with some CMS/Portal systems lately and noodling the problem of providing fine grained access control. There seems to be a consensus of sorts around the core techniques (classifying logins, adding roles to them, putting them in groups etc.) However, my experience is that they are all implemented differently in different systems and the whole thing has an innate ability to become...well...ugly and complicated. Am I missing something?

Maybe coarse grained access control is the way to go. Most of what you would want to do in terms of manipulating content in a CMS could be described using generic methods, as you find in HTTP (or WebDAV, or CVS, or SQL, or chmod... ok, maybe not chmod). Don't want a principle to write to a particular document? Reject POST/commit/UPDATE requests to that document.

March 1, 2003 03:49 PM


(March 3, 2003 04:18 PM #)

BEA, Entrust, IBM, and others have taken a shot at this problem recently with XACML [http://www.oasis-open.org/committees/xacml/ ], developed and released through OASIS.

Sun has released an open source implementation [http://sourceforge.net/projects/sunxacml/ ].

Trackback Pings

TrackBack URL for this entry: