[cap-talk] Change-hat with capabilities (Comparing models)
David Barbour
dmbarbour at gmail.com
Thu Jun 16 01:32:11 PDT 2011
On Wed, Jun 15, 2011 at 11:05 PM, Rob Meijer <capibara at xs4all.nl> wrote:
> On Tue, June 14, 2011 08:35, Rob Meijer wrote:
>
> >
> > This is an other confusing thing about RBAC. I have untill now seen two
> > very distinctive 'Role' based systems.
> >
> > 1) The role as 'bundle of permissions' that can be assigned to a user in
> > an accumulative way. The user has all her roles at the same time.
> > 2) The role as 'hat'. The user can change roles like changing hats, one
> > hat at a time, according to some state machine definition that allows
> > certain changes but possibly not others.
>
> I am really struggling with the question if a generic change-hat type of
> pattern would be possible with capabilities. Anyone have any idea on
> that?
>
You have an object that allows you to change roles via string or
enumeration. The object returns a capability for your current role. Each
time you change roles, the previous capability is revoked along with all
capabilities discovered through it - i.e. revocation membrane.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20110616/e0ecdf5a/attachment.html
More information about the cap-talk
mailing list