Monday, July 16, 2007

More on entitlements

Securent CEO Rajiv Gupta replied to my earlier posting on entitlement (and also posted it to the Entitlement Blog) saying, in effect, everybody was right. And, while I'm fain to disagree with that, I will. Because there are aspects of Rajiv's posting I disagree with.

At the most basic level, I simply cannot agree when he says "Should there be a special set of attributes called 'roles'." Now some will say this is merely a semantic difference, but I see a "role" as an object in its own right, and the users filling that role as the values of an attribute of the role. Further, of course, the role can be determined by the value of one or more attributes attached to the user (the ideal situation, creating so-called "dynamic" roles). The difference is important because it is frequently necessary to determine who is assigned to which role - and that's much easier if you don't have to walk the entire directory tree examining each user.

Rajiv also notes:
"As an example if my daughter’s school wants to define and use the “parent or guardian of” attribute, perhaps by asking for my daughter’s birth certificate, that is of no interest to the liquor stores in the world who care that I am of legal drinking age. Since these attributes are application-specific, it is best that they be defined and managed by the application owners or administrators. And because they are delegated and application-specific we are spared the m times n problem. "
Those attributes ("father" and "over 21"), though, are of interest to more than one application. The values, though, need only be calculated at the time they are asked for, the first possibly coming from a "childrens' names" attribute, but more likely stored as an attribute of the child; the latter calculated based on the date of birth attribute.

Nothing Rajiv says argues against the use of role-mining, role-management and role-enforcing services, at least as I see them. And it was that denigration of roles that was the bone of contention in my original post.

(Note, Rajiv, I would also have posted this as a comment to your entry, but your WorPress/OpenID module seems broken)

Comments: Post a Comment

© 2003-2006 The Virtual Quill, All Rights Reserved


[Powered by Blogger]