| Subject | Re: [IB-Architect] System predefined roles |
|---|---|
| Author | Jim Starkey |
| Post date | 2001-04-25T15:37:02Z |
At 11:17 AM 4/25/01 -0400, you wrote:
the module SCL.E for gory details. But be careful -- the module
was heavily reworked by the intellectual giants who implemented
"politically correct."
The basic of idea is since groups of table tend to share
security/access policies, the various policies are defined
as independent named objects calls as securty classes, and
each table is assigned a security class. The security class,
in turn, is defined with an open-ended access control list
where access can be controlled by user name, group member,
host, or a variety of other things (the mechanism was used
to mask platform specific authentication schemes). The
access control mechanism, based on an order list of access
control items, is quite powerful, allowing compound authentication.
I added SQL grant/revoke semantic for the dBase V project circa
V3 layered on and consistent with security classes.
I would be surprised if the basic mechanism had been removed
as the Borland developers rarely took the time to understand
anything with sufficient depth to remove it.
Although the existing code is probably servicable, the actual
ACL is a structured blob (probably a blob filter for it somewhere)
that needs DDL process support. In accordance with the philosphy
of "don't fix it, don't extend it, just implemented it" nothing
was done to provide SQL level access to the underlying mechanism.
I wouldn't consider recycling the code. I just did a quick
check. It's a mess.
Jim Starkey
>Hi,I believe it is still used to implement SQL grant/revoke. See
>
>Is this ACL mechanism still there? Forgive my ignorance, which
>modules/files? Can we maybe reuse/resurrect this for java?
>
the module SCL.E for gory details. But be careful -- the module
was heavily reworked by the intellectual giants who implemented
"politically correct."
The basic of idea is since groups of table tend to share
security/access policies, the various policies are defined
as independent named objects calls as securty classes, and
each table is assigned a security class. The security class,
in turn, is defined with an open-ended access control list
where access can be controlled by user name, group member,
host, or a variety of other things (the mechanism was used
to mask platform specific authentication schemes). The
access control mechanism, based on an order list of access
control items, is quite powerful, allowing compound authentication.
I added SQL grant/revoke semantic for the dBase V project circa
V3 layered on and consistent with security classes.
I would be surprised if the basic mechanism had been removed
as the Borland developers rarely took the time to understand
anything with sufficient depth to remove it.
Although the existing code is probably servicable, the actual
ACL is a structured blob (probably a blob filter for it somewhere)
that needs DDL process support. In accordance with the philosphy
of "don't fix it, don't extend it, just implemented it" nothing
was done to provide SQL level access to the underlying mechanism.
I wouldn't consider recycling the code. I just did a quick
check. It's a mess.
Jim Starkey