tags:

views:

371

answers:

0

When implementing an RBAC model using an LDAP store (I'm using Apache Directory 1.0.2 as a testbed), some of the actors are obviously mappable to specific objectClasses:

  • Resources - I don't see a clear mapping for this one. applictionEntity seems only tangentially intended for this purpose
  • Permissions - a Permission can be viewed as a single-purpose Role; obviously I'm not thinking of an LDAP permission, as they govern access to LDAP objects and attributes rather than an RBAC permission to a Resource
  • Roles - maps fairly directly to groupOfNames or groupOfUniqueNames, right?
  • Users - person

In the past I've seen models where a Resource isn't dealt with in the directory in any fashion, and Permissions and Roles were mapped to Active Directory Groups.

Is there a better way to represent these actors? How about a document discussing good mappings and intents of the schema?