[Cosmo-dev] Sharing format questions

Morgen Sagen morgen at osafoundation.org
Tue Jul 25 12:14:23 PDT 2006 

On Jul 25, 2006, at 7:55 AM, Brian Moseley wrote:

> On 7/24/06, Bobby Rullo <br at osafoundation.org> wrote:
>
>> In a world without hierarchies, what is a child/parent? If parents
>> are tags or collections, how would you resolve situations where an
>> item is in multiple collections, and those collections all have
>> different ACL's? Would you choose the most restrictive ACL? Or the
>> least? Or something else?
>
> i don't believe we have any plans to share by tag, so i don't think
> that's an issue. as for collections, i'd suggest applying the acl of
> the collection under consideration, then overriding it with the
> contained item's acl.

Depending on how you look at it, tags are equivalent to collections.   
I was thinking about how to deal with items, collections/tags and  
ACLs this morning, and I am starting to like this approach:

- On Cosmo, Items are in a soup, identified by UUID.
- We define the term "Principal" which represents a Ticket, an  
Account, or a Group (where a Group can contain Accounts or other Groups)
- There are two types of Permissions: Read-only and Read-write
- An "Access Control Entry" (ACE) indicates a certain Principal has a  
given Permission for a given Item
- An "Access Control List" (ACL) is a list of ACEs
- There are special items called Tags which contain an ACL
- The Principal who originally PUTs an item to Cosmo is the "owner"  
and always has full permission to that item regardless of ACLs
- An Item may be "tagged" (associated with existing Tag items) or  
"untagged"
- A Principal's access to an Item is determined by iterating all the  
Tags associated with that Item and examining the ACEs to see if any  
match that Principal; the most lenient permission wins (Read-write  
trumps Read-only)
- A Principal which has Read-only permission to an item may not alter  
it in any way (including tagging/untagging); this solves the problem  
of someone getting a hold of an item Read-only and then moving to a  
collection they have Read-write access to and suddenly being able to  
modify that item.
- A Principal which has Read-write permission to an item may modify  
or delete it; they may also tag or untag the item using any Tag that  
the Principal has Read-write access to.  Therefore if a Principal  
only has Read-only access to a Tag, they may not associate that Tag  
with any items even if they have Read-write access to those items.   
In other words, just because I have write access to an Item doesn't  
mean I can add it to any Tag I want -- I must have been granted Read- 
write permission for that Tag also.

There are some details to work out, for sure.  Such as:

- Who can modify the ACL of a Tag?  Any Principal which has a Read- 
write ACE in that ACL?
- Should Tags be hierarchical?

More information about the cosmo-dev mailing list