W3C home > Mailing lists > Public > ietf-dav-versioning@w3.org > April to June 2001

RE: [ACL] RE: lock and access control lists on (working) versions

From: Clemm, Geoff <gclemm@rational.com>
Date: Tue, 12 Jun 2001 21:08:19 -0400
Message-ID: <3906C56A7BD1F54593344C05BD1374B10350A030@SUS-MA1IT01>
To: ietf-dav-versioning@w3.org
Cc: acl@webdav.org
I believe Yaron was just saying he both wanted "what the ACL was at
the time it was checked in" (i.e. a historical record, that
presumably could be re-instated with you "update" a VCR to select
that version), as well as an ACL that actually affects who
can access the version.

My response is that in practice, nobody does anything like what
Yaron describes, and so we can leave it as a "server value add"
for now.  Realistically, you won't get all that much interoperability
from ACL's anyway (although they are a lot better than nothing),
so the chances of any significant interoperability benefit from
defining a standard way to access historical access values is
vanishingly small.

Cheers,
Geoff

-----Original Message-----
From: Eric Sedlar [mailto:Eric.Sedlar@oracle.com]
Sent: Tuesday, June 12, 2001 6:45 PM
To: Yaron Goland; Clemm, Geoff; ietf-dav-versioning@w3.org
Cc: acl@webdav.org
Subject: RE: [ACL] RE: lock and access control lists on (working)
versions


Isn't "the ACL list it currently uses to decide who gets to see the version"
the ACL on the version history resource, or is what you want a version-
independent ACL that applies to all versions of a resource, that can
override the ACL on that particular version?

> -----Original Message-----
> From: acl-admin@webdav.org [mailto:acl-admin@webdav.org]On Behalf Of
> Yaron Goland
> Sent: Tuesday, June 12, 2001 2:29 PM
> To: Clemm, Geoff; ietf-dav-versioning@w3.org
> Cc: acl@webdav.org
> Subject: RE: [ACL] RE: lock and access control lists on (working)
> versions
>
>
> When I version a resource I will also likely want to version the access
> control list it had when I 'froze' it. This is very important for things
> like security checks. Imagine that an employee who was fired a year ago
> turned out to be a corporate spy, you are going to want to check what
> resources he had access to back then. This means that a version
> really needs
> two sets of ACLs. One if the ACL list it had when it was frozen. The other
> is the ACL list it currently uses to decide who gets to see the version.
>
> > -----Original Message-----
> > From: acl-admin@webdav.org [mailto:acl-admin@webdav.org]On Behalf Of
> > Clemm, Geoff
> > Sent: Saturday, May 26, 2001 8:27 AM
> > To: ietf-dav-versioning@w3.org
> > Cc: acl@webdav.org
> > Subject: [ACL] RE: lock and access control lists on (working) versions
> >
> >
> > As Tim surmised, the answer to (1) is in fact "yes".
> > Each version is a separate resource, and each resource
> > can have its own distinct access control list.
> >
> > Cheers,
> > Geoff
> >
> > -----Original Message-----
> > From: Tim_Ellison@uk.ibm.com [mailto:Tim_Ellison@uk.ibm.com]
> > Sent: Wednesday, May 16, 2001 5:42 AM
> > To: ietf-dav-versioning@w3.org
> > Cc: acl@webdav.org
> > Subject: Re: lock and access control lists on (working) versions
> >
> >
> >
> >
> > "Pill, Juergen" <Juergen.Pill@softwareag.com>
> > > Hello,
> > >
> > > 1) Would it be possible with DETA-V to have different access
> > control list
> > > for different versions of a resource, e.g. V1 of resource /foo
> > will allow
> > > user A to modify and read, but V2 of resource /foo will allow
> user A to
> > read
> > > read only?
> >
> > You'd have to ask the ACL-folk that question, but I would sincerely hope
> > the answer is 'yes'.
> >
> > > 2) Would it be possible to have two distinct locks on two different
> > > (working) resources?
> >
> > Yes.  Working resources have distinct server-defined URLs.  They can be
> > locked using their URLs just like any other resource.
> >
> > > Does that make sense at all?
> >
> > Yep.
> >
> > Tim
> >
> >
> > _______________________________________________
> > acl mailing list
> > acl@webdav.org
> > http://mailman.webdav.org/mailman/listinfo/acl
> >
>
>
>
>
> _______________________________________________
> acl mailing list
> acl@webdav.org
> http://mailman.webdav.org/mailman/listinfo/acl
>


_______________________________________________
acl mailing list
acl@webdav.org
http://mailman.webdav.org/mailman/listinfo/acl
Received on Tuesday, 12 June 2001 21:03:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 13:57:41 GMT