Re: C5 based permission model for MB-4

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: C5 based permission model for MB-4

Himasha Guruge
Hi All,

This is to update on the discussion carried out in [1].

In terms of resources, it was noted that both queue and topic have similar actions, hence to capture both these resources as a single resource called 'destination'. (Since internally, a queue is used to create a topic)

Resource:Destination

1. create :  create a queue
2. delete : remove queue
3. browse : view messages in a queue
4. purge : remove messages in a queue
5. publish:  publish to a queue
6. subscribe : subscribe to a queue
7. view : view queue details. These queue details could include subscriptions made to a given queue.
8. close : close subscriptions of a queue
9. unsubscribe 

When considering a DLC (Dead Letter Channel) queue, there are two additional actions as below.Since DLC is also a queue, these actions will also be mapped to a 'destination' resource.

10. restore: Send the messages from DLC back to the original queue.
11. reroute: Send the messages from DLC to the original/different queue.

Initial permission allocation will be given, where an admin user will create a role with a  permission such as 'createQueue' for a given space ( wildcard based space such as topic.sports.* ), and the user who has this role assigned, can perform specified actions of that permission, on the queue/topic he/she creates. 

A subscription will not be captured as a separate resource since the actions related to a subscription are already mapped to queue actions(view, wwnershipclose, unsubscribe). 

In addition to above,  ownership transfer of a resource will be possible for an admin user.

[1] MB 4 - Permission Model Discussion 

Thanks,
Himasha 

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: C5 based permission model for MB-4

Himasha Guruge
Hi Sharon,

Please find my comments inline.

2. view : view queue details. These queue details could include subscriptions made to a given queue.
            3. subscribe/unsubscribe  : view all subscriptions and ability to unsubscribe.

Yes, we can have this under queue details.

  5. assign permissions : Assign permissions to queue

Do you mean to have a separate permission type, which can be assigned to users? IMO we won't be needing a specific permission type to authorize a user to assign permissions to others. This will be based on a given role. (ex: Users with role 'admin' can assign permissions to others.)

6. edit/update : Updating queue 

Could you elaborate more on this? What details/entries should be updated in a queue?

Thanks,
Himasha 



On Wed, May 24, 2017 at 4:09 PM, Sharon David <[hidden email]> wrote:
Hi 

IMHO I think we need to add update/edit and assign permissions to queue to this list as well, 
we should group the actions as follows

1. create : create a queue
2. view : view queue details. These queue details could include subscriptions made to a given queue.
            3. subscribe/unsubscribe  : view all subscriptions and ability to unsubscribe.
            4. close : close subscriptions of a queue
            5. assign permissions : Assign permissions to queue
6. edit/update : Updating queue 
7. delete : remove queue

8. publish:  publish message to a queue
9. browse : view messages in a queue
10. purge : remove all messages in a queue

3 - 5 & 8 - 10 are per queue/destination basis. 

WDYT ?


On Tue, May 23, 2017 at 11:53 AM, Himasha Guruge <[hidden email]> wrote:
Hi All,

This is to update on the discussion carried out in [1].

In terms of resources, it was noted that both queue and topic have similar actions, hence to capture both these resources as a single resource called 'destination'. (Since internally, a queue is used to create a topic)

Resource:Destination

1. create :  create a queue
2. delete : remove queue
3. browse : view messages in a queue
4. purge : remove messages in a queue
5. publish:  publish to a queue
6. subscribe : subscribe to a queue
7. view : view queue details. These queue details could include subscriptions made to a given queue.
8. close : close subscriptions of a queue
9. unsubscribe 

When considering a DLC (Dead Letter Channel) queue, there are two additional actions as below.Since DLC is also a queue, these actions will also be mapped to a 'destination' resource.

10. restore: Send the messages from DLC back to the original queue.
11. reroute: Send the messages from DLC to the original/different queue.

Initial permission allocation will be given, where an admin user will create a role with a  permission such as 'createQueue' for a given space ( wildcard based space such as topic.sports.* ), and the user who has this role assigned, can perform specified actions of that permission, on the queue/topic he/she creates. 

A subscription will not be captured as a separate resource since the actions related to a subscription are already mapped to queue actions(view, wwnershipclose, unsubscribe). 

In addition to above,  ownership transfer of a resource will be possible for an admin user.

[1] MB 4 - Permission Model Discussion 

Thanks,
Himasha 



--
Sharon David
Software Engineer - UI/UX    WSO2 Inc

+94 777 668 411  |  [hidden email]  |   http://wso2.com



--
Himasha Guruge
Software Engineer 
WSO2 Inc.
Mobile: +94 777459299

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Loading...