Difference between revisions of "Keystone-Essex-BP-AuthZ"
Line 2: | Line 2: | ||
'''Goals:''' | '''Goals:''' | ||
− | * Support a capability model by allowing services identify capabilities by endpoint | + | * Support a capability model (Ex: Delete Files) by allowing services identify capabilities by endpoint |
* Map capabilities to role, allowing a role to span multiple endpoints & services | * Map capabilities to role, allowing a role to span multiple endpoints & services | ||
+ | * Allow restrictions on capabilities to certain resources (ex: John Doe may have access to Delete Files but only on myserver.server.com). | ||
* Map users and groups to roles | * Map users and groups to roles | ||
[[Image:Keystone-Essex-BP-AuthZ$ProposedKeystoneAuthZStructure.png]] | [[Image:Keystone-Essex-BP-AuthZ$ProposedKeystoneAuthZStructure.png]] |
Revision as of 18:54, 7 September 2011
Goals:
- Support a capability model (Ex: Delete Files) by allowing services identify capabilities by endpoint
- Map capabilities to role, allowing a role to span multiple endpoints & services
- Allow restrictions on capabilities to certain resources (ex: John Doe may have access to Delete Files but only on myserver.server.com).
- Map users and groups to roles
File:Keystone-Essex-BP-AuthZ$ProposedKeystoneAuthZStructure.png