[Fuge-devel] using FuGE for basic authentication and authorization

[Hermida, Leandro]

Hi everyone,

 

I am trying to work out how to cleanly build on any FuGE database implementation to provide the basic authentication and authorization data components while integrating as much as possible with the model.   For authentication it seems straightforward to create a class User which extends from Person.  Is there anything wrong with doing that?  As for authorization it seems not so clear.  Authorization typically deals with roles and groups and in FuGE there are the Security* classes.  Would SecurityGroup be used for holding both roles and groups?

 

Or do people think it is a much better idea to completely keep such data models completely separate from FuGE? 

 

Thanks for any advice,

Leandro

 

[Jones, Andy]

HI Leandro,

 

I think the intention was that the FuGE Security mechanism could do this.

 

XML Example:

 

<fuge:AuditCollection>

 

            <fuge:Security identifier="exp1:security1" >

                        <fuge:_owners Contact_ref="exp1:Person1"/>

 

                        <fuge:SecurityAccess SecurityGroup_ref="exp1:SG1" >

                                    <fuge:_accessRight OntologyTerm_ref="OT:read_access"/>

                        </fuge:SecurityAccess>

                       

                        <fuge:SecurityAccess SecurityGroup_ref="exp1:SG1" >

                                    <fuge:_accessRight OntologyTerm_ref="OT:write_access"/>

                        </fuge:SecurityAccess>

                       

            </fuge:Security>

 

            <fuge:Person identifier="exp1:Person1" lastName="Jones"/>

            <fuge:Person identifier="exp1:Person2" lastName="Hermida"/>

 

            <fuge:SecurityGroup identifier="exp1:SG1">

                        <fuge:_members Contact_ref="exp1:Person1"/>

                        <fuge:_members Contact_ref="exp1:Person2"/>

            </fuge:SecurityGroup>

           

</fuge:AuditCollection>

 

 

<fuge:ProtocolCollection>

            <fuge:GenericProtocol identifier="" Security_ref="exp1:security1">

           

           

            </fuge:GenericProtocol>

 

</fuge:ProtocolCollection>

 

(Ontology terms not shown)

 

So you can apply access writes down to the level of individual objects if required, does this make sense?

Cheers

Andy

[Hermida, Leandro]

Hello,

 

Thank you for the reply and sorry for being a bit daft.  Maybe I see it more clearly now

 

·         A group is a collection of users, so I guess Organization can be used or subclassed

·         A role is a collection of access privileges (or a class of access privileges) that can be assigned to users and to groups

 

Is that what SecurityGroup is?  Is seem like so…

 

leandro

[Miller, Michael D (Rosetta)]

hi leandro,

 

if i remember right, SecurityGroup was to map to the DB concept of a group, not a role, in the MAGE-OM, which FuGE inherits the idea from.  we purposely decided not to go any further since we started treading on DB concepts and didn't want to go too far.

 

as an aside, the use case for these classes is pretty tightly bound to a set of organizations or within an organization that are exchanging FuGE documents and wish to have some protection on who can view the documents once they are imported.  the classes don't really make sense for general, open public interchange.  so how one group of collaborators will make use and interpret these classes doesn't necessarily have to match how another collaboration might make use of them.  but to have a base implementation in the stk is great, as always, great work.

 

that said, for our application with MAGE import/export we've been able to make pretty good use of these classes for our customers.

 

cheers,

michael

---

From: fuge-deve...@lists.sourceforge.net [mailto:fuge-deve...@lists.sourceforge.net] On Behalf Of Hermida, Leandro

Sent: Thursday, May 22, 2008 8:48 AM