Access Controls

Wed, 27 Dec 2000 09:22:40 -0500

On Wed, Dec 27, 2000 at 10:13:58AM -0500, Derek Atkins wrote:
> It is unclear that the security server and the engine need to be on
> the same machine; so long as the security server is associated with
> the datastore, it should suffice.  E.g., if you don't have access to
> data, you wont be able to retreive it from the datastore in the first
> place.  From a security standpoint, you want the access control checks
> to be as close to the "object" as possible.
> 
> I'm not convinced you want the "engine" to be across the network from
> the UI.  I've always seen the engine to be a data cache and
> manipulation tool, talking across the network to the datastore.
> Perhaps I have a slanted view of the engine's role in a distributed
> system?

No, you don't want the entire engine to be across the network,
primarily for performance reasons, especially on slow networks. I
agree with you, the server side should be relatively thin and provide
only an API into the data store.

-- 
Dr. David C. Merrill                     http://www.lupercalia.net
Linux Documentation Project                dmerrill@lupercalia.net
Collection Editor & Coordinator            http://www.linuxdoc.org
                                       Finger me for my public key

Q:	What's the difference betweeen USL and the Graf Zeppelin?
A:	The Graf Zeppelin represented cutting edge technology for its time.