W3C home > Mailing lists > Public > ietf-dav-versioning@w3.org > April to June 2001

RE: [ACL] RE: lock and access control lists on (working) versions

From: Clemm, Geoff <gclemm@rational.com>
Date: Wed, 13 Jun 2001 14:27:53 -0400
Message-ID: <3906C56A7BD1F54593344C05BD1374B1018E246F@SUS-MA1IT01>
To: ietf-dav-versioning@w3.org
Cc: acl@webdav.org
I don't think anyone was suggesting "either/or" here.
The ACL on a version resource will always be the ACL
that control access to that version resource (and can
be changed, when you change your mind about who can
access that version resource).

Yaron was just suggesting that we add *another* property
that captures the ACL of the version-controlled resource
at the time of check-in.  This would not be the DAV:acl
property, but would be something like the DAV:checkin-acl
property.

In an earlier message, I indicated that I believed there
is not sufficient value or interest in a DAV:checkin-acl
property to merit its inclusion in either
the versioning or the acl protocol.

Cheers,
Geoff


-----Original Message-----
From: Eric Sedlar [mailto:Eric.Sedlar@oracle.com]
Sent: Wednesday, June 13, 2001 2:00 PM
To: Clemm, Geoff; ietf-dav-versioning@w3.org
Cc: acl@webdav.org
Subject: RE: [ACL] RE: lock and access control lists on (working)
versions


If "frozen" == "checked in" then you have no way of knowing what
resources an employee used to have, since they may have selected
an older version with a particular workspace.

I guess the basic question is whether or not ACLs are versioned like
a dead property.  In other words, does changing the ACL create a new
version?  I think that if you do create a new version when you change
the ACL, you will get what you want, since by correlating the
creation date of each version with the ACL on each, you can figure
out what versions of the resource a particular user had access to
during a particular period of time.

> -----Original Message-----
> From: acl-admin@webdav.org [mailto:acl-admin@webdav.org]On Behalf Of
> Clemm, Geoff
> Sent: Wednesday, June 13, 2001 9:47 AM
> To: ietf-dav-versioning@w3.org
> Cc: acl@webdav.org
> Subject: RE: [ACL] RE: lock and access control lists on (working)
> versions
>
>
> "frozen" == "checked in".
>
> -----Original Message-----
> From: Eric Sedlar [mailto:Eric.Sedlar@oracle.com]
>
> When is a resource frozen?  Can you translate that into DeltaV terms?
>
>
> > -----Original Message-----
> > From: ietf-dav-versioning-request@w3.org
> > [mailto:ietf-dav-versioning-request@w3.org]On Behalf Of Yaron Goland
> >
> > When I version a resource I will also likely want to version the access
> > control list it had when I 'froze' it. This is very important for things
> > like security checks. Imagine that an employee who was fired a year ago
> > turned out to be a corporate spy, you are going to want to check what
> > resources he had access to back then. This means that a version
> > really needs
> > two sets of ACLs. One if the ACL list it had when it was
> frozen. The other
> > is the ACL list it currently uses to decide who gets to see the version.
> >
> > > -----Original Message-----
> > > From: acl-admin@webdav.org [mailto:acl-admin@webdav.org]On Behalf Of
> > > Clemm, Geoff
> > >
> > > As Tim surmised, the answer to (1) is in fact "yes".
> > > Each version is a separate resource, and each resource
> > > can have its own distinct access control list.
> > >
> > > Cheers,
> > > Geoff
> > >
> > > -----Original Message-----
> > > From: Tim_Ellison@uk.ibm.com [mailto:Tim_Ellison@uk.ibm.com]
> > >
> > > "Pill, Juergen" <Juergen.Pill@softwareag.com>
> > > > Hello,
> > > >
> > > > 1) Would it be possible with DETA-V to have different access
> > > control list
> > > > for different versions of a resource, e.g. V1 of resource /foo
> > > will allow
> > > > user A to modify and read, but V2 of resource /foo will allow
> > user A to
> > > read
> > > > read only?
> > >
> > > You'd have to ask the ACL-folk that question, but I would
> sincerely hope
> > > the answer is 'yes'.
> > >
> > > > 2) Would it be possible to have two distinct locks on two different
> > > > (working) resources?
> > >
> > > Yes.  Working resources have distinct server-defined URLs.
> They can be
> > > locked using their URLs just like any other resource.
> > >
>
> _______________________________________________
> acl mailing list
> acl@webdav.org
> http://mailman.webdav.org/mailman/listinfo/acl
>
Received on Wednesday, 13 June 2001 14:28:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 13:57:41 GMT