> -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf > Of Frerk.Meyer at Edeka.de > Sent: Tuesday, June 14, 2005 1:11 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: Ideas for fds - roles / > forward groups[Auf Viren gepr?ft] > > > The naming is a misfortune: nsrole = netscape roles First > because they have their proprietary origin in the name. This is not an unusual thing for a proprietary attribute type. We used ns* _because_ it namespaces the attribute and differentiates from standard attributes. Were roles to ever get a draft written I am sure the type name would be changed to ldaprole or some such. > Second because most applications use LDAP groups to determine > application roles, and LDAP roles are just another kind of > group definition but no roles at all. They became roles by > interpreting them in an application for authorization. They are a little more than a grouping mechanism, role based attributes provide for much greater power than a mere group. And actually, for LDAP, they _do_ perform the function of roles, allowing for authorization in the directory and property inheritance. Applications could choose to use these roles to perform their authorization functionality too via directory access control. > Static LDAP roles do it like in every RDBMS, so it's right > but non standard. I should become standard IMHO. I agree. Probably the largest impediment to that happening before now were patent applications filed for the technology.
