Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Corrected links that should have been relative instead of absolute.

This page is related to the Aggregated Layout Management Convergence 2.x effort that will be added to 3.x._

A Need Exposed

The introduction of the JA-SIG Aggregated Layout Management feature makes reuse of the GroupsManager channel to define who receives pushed fragments or who can subscribe to pulled fragments. Although it appears to use the same assignment paradygm in the screen it varies significantly from the grant model used by Channel Manager. Namely, the new ALM functionality did not make use of the existing permissions infrastructure.

...

By providing such a servant and clarifying how it should be used by applications such a servant should readily be usable by other applications including aggregated layout management.

Complex Logic and User Attributes

One aspect of permission grants It then creates a grant as a servant is that they are inherently a simple boolean construct. If the user is a member of "group A OR group B OR group C" then they get the permission and hence can use the channel. More complex combination logic should be available for determining grants.

Additionally, only Group Membership has traditionally be available for granting access to channels. Not until recently could user attributes also be used. They are made available through static peron attribute groups defined in an XML file and evaluated at log-in time. Such is a good step toward more flexible assignment of permissions. However, there is currently no way to incorporate dynamic creation of such user attribute groups in the permission granting step.

Restricted Grants

Currently, if a person is granted Channel Publishing permission there is no way to attach to that grant criteria specifying to whom they can publish channels. Such a capability is accomplished by configuring permissions for the GroupsManager channel restricting what groups a particular user can view, select, update, edit, delete, etc.

This means that when fragment publishing is enhanced to use permissions correctly and fragment publishing is granted to a user along with channel publishing there is no way to distinguish different sets of user to whom they can publish channels versus those to whom they can publish fragments.

A suggestion for enhancment of grant restrictions has been outlined here: Grant Restriction Enhancements