Hi Jesse,— Jesse Vincent firstname.lastname@example.org wrote:
On Wed, Jul 30, 2003 at 06:14:59AM -0700, Stanislav Sinyagin wrote:
There are some global group rights that permit something
to some privileged users. It would be interesting for certain queues
to prohibit some of those rights from the global configuration.
Same thing would be interesting for certain users out of a group to override
(and revoke) the group rights.
It would definitely be interesting and when I designed the ACL system we
have now, I spent a long time thinking about how we could accomplish
this without crippling the system’s performance. I didn’t have any
bright ideas. Do you?
As far as I understand, now you follow down the group hierarchy and global->queue level
hierarchy until you find the required privilege.
In this new feature design, we follow the hierarchy down to the end
and collect the information about required privilege.
Thus the lower levels of the hierarchy may have a chance to revoke
the right if it’s given on upper level.
Then we store it in a cache, which should be designed to give three types
– Principal A has privilege B for object C
– Principal A does not have privilege B for object C
– There is no information in the cache about this (A,B,C) triple.
When the privileges are edited, the cache should be cleaned in that part that
is concerned. Or, probably it’s easier to clean the whole cache.
seems quite affordable to me…