RE: [ACL] RE: lock and access control lists on (working) versions

If "frozen" == "checked in" then you have no way of knowing what
resources an employee used to have, since they may have selected
an older version with a particular workspace.

I guess the basic question is whether or not ACLs are versioned like
a dead property.  In other words, does changing the ACL create a new
version?  I think that if you do create a new version when you change
the ACL, you will get what you want, since by correlating the
creation date of each version with the ACL on each, you can figure
out what versions of the resource a particular user had access to
during a particular period of time.

> -----Original Message-----
> From: acl-admin@webdav.org [mailto:acl-admin@webdav.org]On Behalf Of
> Clemm, Geoff
> Sent: Wednesday, June 13, 2001 9:47 AM
> To: ietf-dav-versioning@w3.org
> Cc: acl@webdav.org
> Subject: RE: [ACL] RE: lock and access control lists on (working)
> versions
>
>
> "frozen" == "checked in".
>
> -----Original Message-----
> From: Eric Sedlar [mailto:Eric.Sedlar@oracle.com]
>
> When is a resource frozen?  Can you translate that into DeltaV terms?
>
>
> > -----Original Message-----
> > From: ietf-dav-versioning-request@w3.org
> > [mailto:ietf-dav-versioning-request@w3.org]On Behalf Of Yaron Goland
> >
> > When I version a resource I will also likely want to version the access
> > control list it had when I 'froze' it. This is very important for things
> > like security checks. Imagine that an employee who was fired a year ago
> > turned out to be a corporate spy, you are going to want to check what
> > resources he had access to back then. This means that a version
> > really needs
> > two sets of ACLs. One if the ACL list it had when it was
> frozen. The other
> > is the ACL list it currently uses to decide who gets to see the version.
> >
> > > -----Original Message-----
> > > From: acl-admin@webdav.org [mailto:acl-admin@webdav.org]On Behalf Of
> > > Clemm, Geoff
> > >
> > > As Tim surmised, the answer to (1) is in fact "yes".
> > > Each version is a separate resource, and each resource
> > > can have its own distinct access control list.
> > >
> > > Cheers,
> > > Geoff
> > >
> > > -----Original Message-----
> > > From: Tim_Ellison@uk.ibm.com [mailto:Tim_Ellison@uk.ibm.com]
> > >
> > > "Pill, Juergen" <Juergen.Pill@softwareag.com>
> > > > Hello,
> > > >
> > > > 1) Would it be possible with DETA-V to have different access
> > > control list
> > > > for different versions of a resource, e.g. V1 of resource /foo
> > > will allow
> > > > user A to modify and read, but V2 of resource /foo will allow
> > user A to
> > > read
> > > > read only?
> > >
> > > You'd have to ask the ACL-folk that question, but I would
> sincerely hope
> > > the answer is 'yes'.
> > >
> > > > 2) Would it be possible to have two distinct locks on two different
> > > > (working) resources?
> > >
> > > Yes.  Working resources have distinct server-defined URLs.
> They can be
> > > locked using their URLs just like any other resource.
> > >
>
> _______________________________________________
> acl mailing list
> acl@webdav.org
> http://mailman.webdav.org/mailman/listinfo/acl
>

Received on Wednesday, 13 June 2001 14:08:40 UTC