Re: Access Control Preliminary Draft

> I agree with Jim that we should try to keep design decisions out of the
> requirements paper.  Both the "policies as resources" and "access
> attributes" are design decisions.  The suggestion that access control will
> be implemented by HTTP methods is also a design constraint.
> 

The concept that access policies are a resource can be eliminated
and thought of in an abstract sense.

The setting of access attributes via the metadata model can be
eliminated as a design constraint.

As I understood it, implementation via HTTP is a requirement of
the WebDAV charter and the general consensus.  This can be eliminated
if it is felt that this shouldn't be true for access control.

> 
> 3. [Notification to applications -- I share Jim's skepticism about this.]
> 

A stated WebDAV requirement appears to be that any resource on
any medium could be controlled.  If we don't include applications,
then I don't believe we meet this goal.  We should make a decision
as to whether WebDAV access control will apply only to static
document-based resources or any type of resource.

 
> Section 5.5: It sounds as if you want to require every WebdAV-compliant
> server to support all the categories of access control in this section.  In
> the general requirements draft, we agreed to avoid talking about compliance,
> leaving compliance issues to the WebDAV spec. In any case, I'm not sure we
> should require WebDAV servers to provide access control at all, much less
> this particular list of categories.  I guess I think of a set of categories
> like the one you propose as similar to metadata schemas.  There could be
> lots of different access control schemas, each defined in a resource
> somewhere, and servers could make it known which schema(s) they support.

There are two items here:

  1) Whether access control will be a WebDAV requirement.  Thus far,
     general consensus has been that it should.
 
  2) The objective was to define required categories of access
     control that would be "understood" by all WebDAV servers, not
     that it necessarilly implement each category.  In fact, the
     proposed requirements document states that it would be up to
     the WebDAV server to determine how it would interpret the
     meaning of a particular access control attribute.

Received on Thursday, 3 July 1997 12:16:47 UTC