![[ home ]](/images/ivory.png)
Implementing ACL's across multiple languages and platforms so that they may be administered from a central location
How would I implement a granular access control list to allow:
- rights inheritance
- user is able to offer rights to another user
- authority checking
- check if user is vouched for by a higher authority for the right they wish to access, or share
It must offer the following capabilities to the user:
- Web of trust between users(new)
- Ability to share a right
- Ability to control whether that right can be re-shared by the assignee
What would the API look like, so that it could be incorporated into existing applications in:
- PHP, Perl, .htaccess files, ASP, C/C++, Java
questions:
fishy: If you extend the traditional RWX permissions to include a Grant bit would that be sufficient? Here the idea is that User A could grant a priviledge to User B provided: User A has the priviledge themselves and User A has the G bit set.
The obvious answer to the universal accesibility would be a mySQL database. All of the languages you listed could access it, it could be accessed over the network...
reply:
simon: I don't think that RWXG would be sufficient, as it does not form any trust relationship between users.
fishy: Okay, explain how user trust relationships are represented? In statements like "User B can RX anything created by User A, (so long as User A has granted themselves RX)" and that sort of thing?
And what about the Database idea? It has some obvious drawbacks... enforcement would be left up to the programmer using the API, not to the API itself. The "real programmer" would probably write a C++ API then write a .PM to hook it to Perl, and also compile function hooks into PHP. That is a painful lot of work, but probably the "proper" way to do it.
