[rt-devel] Rights revoke on queue level

[Stanislav Sinyagin]

--- Stanislav Sinyagin <ssinyagin at yahoo.com> wrote:
> In this new feature design, we follow the hierarchy down to the end 
> and collect the information about required privilege. 
> Thus the lower levels of the hierarchy may have a chance to revoke 
> the right if it's given on upper level.

Perhaps it's even cheaper to climb the hierarchy from its bottom: 
from queue rights to global rights, and from user rights to the groups 
it belongs to, and so on. Then the first grant or revocation 
that we meet will give us the answer. 

There also needs to be a conflict resolution mechanism: 
User X belongs to groups G1 and G2. In G1 or its parents, the required privilege 
is granted, but in G2 it's revoked. 
Maybe we need two types of revocation: 

-- Soft revocation: in conflict situation, permission is stronger than denial
-- Hard revokation: in conflict situation, denial has absolute power.

yeah, looks like a nightmare for system administratiors...

Stan