Security Objects and other notes

[Jeff Martin]

Doing a bit more work on our activity streams implementation.  

We want to provide a record of auditing events for some administration activity I was at a loss for a couple of objects.

Role - somewhat similar to a group although the registry lists Group as a social networking group.  Roles would be assigned permissions, People would be assigned to a role.

Permission - an object describing the ability to do something in a security context, probably has a relationship with some other object.

I don't remember how the discussion ended up with objects that were really close to each other... for instance, I would be fine with representing a Role in my application as a Group Object or maybe a Job object in the activity if the description didn't specifically say social networking.

I think these objects would be using the Assign verb frequently.

Thanks,

-Jeff

PS:

Typo on the Device object in the registry: A device of any type

[James M Snell]

I recently saw another prototype system using the same object types. Are there any additional properties associated with either object type?

--
You received this message because you are subscribed to the Google Groups "Activity Streams" group.
To view this discussion on the web visit https://groups.google.com/d/msg/activity-streams/-/XtL_X4j1fY8J.
To post to this group, send email to activity...@googlegroups.com.
To unsubscribe from this group, send email to activity-strea...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/activity-streams?hl=en.

[Jeff Martin]

I'm not thinking of any that are outside the bounds of a normal object serialization as described on in the spec.

I might lobby for calling it SecurityRole rather than the more generic Role - context is everything... 

-Jeff

[Jeff Martin]

After looking at your markdown document of the schema... im sure that Role is not equivalent to group - it would be nice if the description in the registry matched what is in the schema document...  I don't think you join or leave a role typically.

Continuing to look at that document the Event has collections like "attending" etc.

Maybe the Role should have a "members" optional property and "permissions" optional property.

The Permission probably has a collection of verbs ( not activity verbs - but security verbs - Read, Write, Create, Delete, Administer) and a collection of objects that the verbs apply to.)

[James M Snell]

On Fri, Sep 21, 2012 at 2:14 PM, Jeff Martin <je...@jeffmartin.com> wrote:

After looking at your markdown document of the schema... im sure that Role is not equivalent to group - it would be nice if the description in the registry matched what is in the schema document...  I don't think you join or leave a role typically.

Agreed... however there is a gray area here in that Security Groups and Security Roles generally overlap. i.e. if I add you to the "admin" group on my linux box, have you joined a group or have you been assigned a role? It will largely depend on the application context. There is definitely room (and justification I think) for a distinct Role object.

(I will be updating the registry to match the document, shortly... unless one of the other folks with edit permissions wants to jump in to do it ;-) .... ahem...) ;-)

Just running through some examples...

# James assigned the Admin Role to "Jeff"

{

  "actor": {"displayName": "James"},

  "verb": "assign",

  "object": {"objectType": "role", "displayName": "admin"},

  "target": {"displayName": "Jeff"}

}

# Jeff has joined the "admin" group

{

  "actor": {"displayName": "Jeff"},

  "verb": "join",

  "object": {"objectType": "group", "displayName": "admin"}

}

# Jeff is requesting to join the admin group

{

  "actor": {"displayName": "Jeff"},

  "verb": "request",

  "object": {

    "objectType": "task",

    "actor": {"displayName": "Jeff"},

    "verb": "join",

    "object": {"objectType": "group", "displayName": "admin" }

  }

}

# Jeff is requesting that an existing admin assign him the admin role

{

  "actor": {"displayName": "Jeff"},

  "verb": "request",

  "object": {

    "objectType": "task",

    "actor": {"objectType": "role", "displayName": "admin"},

    "verb": "assign",

    "object": {"objectType": "role", "displayName": "admin" },

    "target": {"displayName": "Jeff"}

  }

}

 

There are plenty of variations. One thing I can see us needing to look at is the fact that the way the "assign" verb is currently defined, it's "Actor -assigns- Object to Target" . We currently do not have a means of expressing "Actor was assigned Object" ... there are other verbs that may work: "receive" for instance; or "accept". Thoughts?

Continuing to look at that document the Event has collections like "attending" etc.

Maybe the Role should have a "members" optional property and "permissions" optional property.

A "members" property could apply to both "group" and "role". 

A "permissions" property could make sense. I'm not convinced it needs to be a collection object tho. The main reason for using a collection object would be if you potentially needed the ability to support paging or linking out to a separate document. For permissions, a simple Array of Permission objects would likely be sufficient.

 

The Permission probably has a collection of verbs ( not activity verbs - but security verbs - Read, Write, Create, Delete, Administer) and a collection of objects that the verbs apply to.)

Hmm.. that could be pretty complicated pretty quickly. Perhaps something along these lines would work tho:

  {

    "objectType": "permission",

    "scope": {

      // some object describing the scope of the permission

    },

    "actions": ["read","write",...]

  }

Where scope is some optional, arbitrary object that defines the general scope of the permission. This could, in theory, be any objectType (including collection); and "actions" is a simple Array of Strings, each of which is a simple application defined token.

Also, in your previous note you had raised the point of using "SecurityRole" instead of just "Role" for the objectType... I'm not entirely convinced that's necessary. Consider, for instance, that many kinds of groups have many kinds of roles... For instance, a group representing a team of some sort might have a "team captain" role. This would have nothing to do with security but follows the exact same activity pattern:

  {

    "actor": { "objectType": "group", "displayName": "My Football Team" },

    "verb": "assign",

    "object": {"objectType": "role", "displayName": "Team Captain" },

    "target": { "displayName": "Jeff" }

  }

In general, I'd prefer to keep the object types and verbs as generic as possible and allow the properties and application around those to fill in the contextual detail.

Thoughts?

- James

 

To view this discussion on the web visit https://groups.google.com/d/msg/activity-streams/-/wNF26VlcSEEJ.

[Jeff Martin]

interesting - i had envisioned opposite usages of target and object with the assigned a role... i guess it doesn't really matter...

yea... im fine with Role being generic.

+1 to scope and actions.

-Jeff

[Jeff Martin]

I am putting together some example activities for this latest usage of my service and coming up with a little bit of a loss.

a permission objectType seems to represent the ability to do something(read, write, etc.) to a resource  (generally represented by a URI, but could be a file, some reference to a section of an application, etc).

I am building a permission object like this:

{objectType:”permission”, displayName:”read:path/to/my/resource”, id: "AAA"}

{objectType:”permission”, displayName:”write:path/to/my/resource”, id: "BBB"}

but I think I want to use the attachments property to point to the resource:

{objectType:”permission”,
displayName:”read:classroom/discussion/assignment”,
id:"AAA",
attachments: [{objectType:”resource”,
                               displayName:”path/to/my/resource”, 
                               id:CCC}]}

The problem I am having is that I am not finding anything generic enough in the Schema for that object type (there is no objectType "resource" defined by the schema).   File doesn't really work - its not a file even though it has a path.  Some other seem close but not really appropriate.  

Given no other input, I will use "resource".   Is this something that could be added to the schema/repository?

-Jeff

[James M Snell]

The "permission" object is defined with a "scope" property that is used to identify the object to which the permission applies. It's value is an object of any object type. The object type will depend entirely on the application context. 

For example, if I wanted to describe a permission to view a video... it could be:

  {

    "objectType": "permission",

    "actions": ["view"],

    "scope": {

      "objectType": "video",

      "id": "http://example.org/foo.mpg",

      "displayName": "A video of my cat"

    }

  }

To describe a permission to share a file...

  {

    "objectType": "permission",

    "actions": ["share"],

    "scope": {

      "objectType": "file",

      "id": "http://example.org/sales_figures.ppt"

    }

  }

For some other arbitrary resource that really doesn't have an object type, simply leave the objectType property out...

  {

    "objectType": "permission",

    "actions": ["read","write"],

    "scope": {

      "id": "http://example.org/some-random-typeless-object",

      "displayName": "My typeless object"

    }

  }

Or invent a new extension object type...

  {

    "objectType": "permission",

    "actions": ["read","write"],

    "scope": {

      "objectType": "http://example.org/object-types/my-foo-object",

      "id": "http://example.org/my-foo-object",

      "displayName": "My foo object"

    }

  }

- James

To view this discussion on the web visit https://groups.google.com/d/msg/activity-streams/-/8nal_A2rAisJ.

[Jeff Martin]

Ok good, I like the scope and actions properties.

What do you think about another object type - 

"resource" - Represents an asset of some type not otherwise defined, this could be a network location or even a piece of functionality in an application.

-Jeff

[James M Snell]

I'm not convinced that it's necessary, really. We already have the notion of a typeless-object (an object with no 'objectType' property) that can serve the same general purpose. For anything specific, I would much rather has an explicit objectType, even if it's an extension type, e.g. "objectType": "http://example.org/network-location". 

- James

To view this discussion on the web visit https://groups.google.com/d/msg/activity-streams/-/GEnWZWYGXbUJ.

[Evan Prodromou]

James, Jeff,

I think if we keep adding object types to the soi-disant "core schema" it will never ship.

We have an extension definition system and registry mechanism for activity streams; could we use it for "security objects"?

-Evan