. the usual acct'based security is a convenience of generics;
the app inherits the capabilities of the whatever user launched it;
this is not in itself a security curse;
rather the curse comes when
changing user acct's is not at all convenient .
. the real problem with acct'based security
is that fast user switching needs to be more than "(fast);
rather, it needs to be concurrent,
so you have can have windows into each user`acct,
rather than just one user's acct windowing multiple app's or doc's .
[10.18: -- like the windows of virtual machines .]
[10.18:
. the desktop would contain, in addition to all the volumes,
all the user folders, each representing
either a user'acct, or a user's session .
. you can create a new window by clicking on a user acct,
and if you don't already have a window into that user,
it asks you for that user's password . ]
cap'config'ed acct's:
. after the user-switching issue,
there's the problem of granularity:
. the finest granularity is capability-based addressing:
for a particular job (app call)
an app is given a particular set of tools
(readers, writers, compilers, ...)
with which to operate on particular set of obj's .
. one way to provide this cap'based addressing
-- in a convenient, generic way
that involves inheritance --
is to have, in addition to user acct's,
cap'config'ed acct's
that specify the current capabilities .
. these acct's are folders that contain config files,
such that when an app is run from that window
it inherits -- not the rights of the user --
but the allowances set forth in the config files
of the window's current cap'config acct .
[10.18:
. the quick way to set up a config file
is to simply accept an app's externals list;
eg, an editor needs access only to
( the doc's the user asked it to open
, the temp'files within its private folder, and
, some auto'backup arrangement on another volume
) .
. most app's can be defined functionally,
and the config' doesn't get too complicated . ]
. for complicated config's,
the app's externals.list could be a folder to be filled with
links to allowables .
(it could work like the directory listing command,
where listings could come with a parameter to indicate
whether it means just the files in the given folder,
or all files in all the enclosed subfolders also ) .
[10.18:
. another dimension of the cap'config'ed acct
is having the config's determine what app's are available generally,
and what app is available specifically
when a particular type of obj' is clicked . ]
No comments:
Post a Comment