On Sun, 2004-08-22 at 08:22, David R. Baird wrote: > At the moment, I'm favouring something with Tree and ACL in it, plus > something like MethodMaker to indicate the code-managing aspect. > Maybe Perms instead of ACL, but ACL seems to be the standard > terminology.
ACL and groups are different competing way of skinning the same cat. in groups, you associate the capability with the group and list the users with the capability in the group. with access control lists, every protected resource keeps a list of users and privelege levels. No matter how the internals works, authorization comes down to answering the question "Does holding crediential C authorize access to resource R?" and there's a big virtual matrix with all credentials and all resources and a yes or no in each box. Access control lists and group lists are ways to normalize and compress that big virtual matrix. Systems such as TACACS and RADIUS have whole languages for creating processes that can answer authorization questions. For that matter, so are firewall rules, .htaccess files, and any section of any configuration file containing the words "allow" or "deny."
