[cap-talk] Change-hat with capabilities (Comparing models)
dmbarbour at gmail.com
Thu Jun 16 01:32:11 PDT 2011
On Wed, Jun 15, 2011 at 11:05 PM, Rob Meijer <capibara at xs4all.nl> wrote:
> On Tue, June 14, 2011 08:35, Rob Meijer wrote:
> > This is an other confusing thing about RBAC. I have untill now seen two
> > very distinctive 'Role' based systems.
> > 1) The role as 'bundle of permissions' that can be assigned to a user in
> > an accumulative way. The user has all her roles at the same time.
> > 2) The role as 'hat'. The user can change roles like changing hats, one
> > hat at a time, according to some state machine definition that allows
> > certain changes but possibly not others.
> I am really struggling with the question if a generic change-hat type of
> pattern would be possible with capabilities. Anyone have any idea on
You have an object that allows you to change roles via string or
enumeration. The object returns a capability for your current role. Each
time you change roles, the previous capability is revoked along with all
capabilities discovered through it - i.e. revocation membrane.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cap-talk