[cap-talk] Capabilities and RBAC (was Comprehensive Security Policies ...)
David Hopwood
david.nospam.hopwood at blueyonder.co.uk
Tue Jan 16 22:08:26 CST 2007
Karp, Alan H wrote:
> The nice thing about capabilities is that they can be combined
> dynamically to solve the problem that RBAC was supposed to solve but
> doesn't. I don't see a lot of value (other than political) in trying to
> build RBAC mechanisms in a capability system. Simply construct a bundle
> of capabilities given to whomever is supposed to do a particular job,
> and revoke them when that person changes jobs. You can call the
> revoking forwarder a role if your customer insists on roles. I believe
> that's what people on this list mean, but it's not RBAC in the sense
> that the rest of the world understands it.
I agree; I said essentially the same thing in
<http://www.eros-os.org/pipermail/cap-talk/2005-April/003507.html>.
--
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>
More information about the cap-talk
mailing list