Using ACLs in JSON

Discussion in 'Python' started by Peter Brooks, May 24, 2013.

  1. Peter Brooks

    Peter Brooks Guest

    I'm designing a system that should allow different views to different
    audiences. I understand that I can use application logic to control
    the access security, but it seems to me that it'd make more sense to
    have this documented in the data-stream so that it's data-driven.

    I was wondering if there was any standard way of doing this in JSON.
    Alternatively, is there a better way of organising this in Python
    that's compatible with JSON?

    I've put an example of the sort of thing that I mean below. The idea
    is that this object is accessible for viewing or deleting by the role
    'HR' and available for change only to the owner of the record itself.
    In addition, the record can be viewed by those with the role
    'manager'. The syntax may be wrong, but I hope that my intention is
    reasonably clear.

    Is there an existing practice or standard for doing this sort of
    thing?

    {
    "title" : "Example Schema",
    "type" : "object",
    "version" : "1.0",
    "properties": {
    "firstname" : {
    "type": "string"
    },
    "lastname" : {
    "type": "string"
    },
    "age" : {
    "description" : "Age in years",
    "type": "integer",
    "minimum": 0
    }
    },
    "ACL-view": ["HR","Manager",["firstname","lastname"]],
    "ACL-change": ["firstname","Lastname"],
    "ACL-delete": ["HR"],
    "required": ["firstname","lastname"]
    }
    Peter Brooks, May 24, 2013
    #1
    1. Advertising

  2. Not exactly what you want but you may consider Google ACL XML[1].

    If there aren't any system integration restrictions you can do what you think it's best... for now.


    [1] https://developers.google.com/storage/docs/accesscontrol#applyacls


    ----------------------------------------
    > Date: Fri, 24 May 2013 01:18:06 -0700
    > Subject: Using ACLs in JSON
    > From:
    > To:
    >
    > I'm designing a system that should allow different views to different
    > audiences. I understand that I can use application logic to control
    > the access security, but it seems to me that it'd make more sense to
    > have this documented in the data-stream so that it's data-driven.
    >
    > I was wondering if there was any standard way of doing this in JSON.
    > Alternatively, is there a better way of organising this in Python
    > that's compatible with JSON?
    >
    > I've put an example of the sort of thing that I mean below. The idea
    > is that this object is accessible for viewing or deleting by the role
    > 'HR' and available for change only to the owner of the record itself.
    > In addition, the record can be viewed by those with the role
    > 'manager'. The syntax may be wrong, but I hope that my intention is
    > reasonably clear.
    >
    > Is there an existing practice or standard for doing this sort of
    > thing?
    >
    > {
    > "title" : "Example Schema",
    > "type" : "object",
    > "version" : "1.0",
    > "properties": {
    > "firstname" : {
    > "type": "string"
    > },
    > "lastname" : {
    > "type": "string"
    > },
    > "age" : {
    > "description" : "Age in years",
    > "type": "integer",
    > "minimum": 0
    > }
    > },
    > "ACL-view": ["HR","Manager",["firstname","lastname"]],
    > "ACL-change": ["firstname","Lastname"],
    > "ACL-delete": ["HR"],
    > "required": ["firstname","lastname"]
    > }
    > --
    > http://mail.python.org/mailman/listinfo/python-list
    Carlos Nepomuceno, May 24, 2013
    #2
    1. Advertising

  3. On 05/24/2013 02:18 AM, Peter Brooks wrote:
    > I'm designing a system that should allow different views to different
    > audiences. I understand that I can use application logic to control
    > the access security, but it seems to me that it'd make more sense to
    > have this documented in the data-stream so that it's data-driven.
    >
    > I was wondering if there was any standard way of doing this in JSON.
    > Alternatively, is there a better way of organising this in Python
    > that's compatible with JSON?


    While I don't understand exactly what you're using JSON for, and nor do
    I understand the purpose of the JSON structure you posted, I can say
    that ACLs have nothing to do with JSON.

    JSON is simply a data markup format, like HTML, XML, plain text, or an
    INI file. It's merely data. If you want to restrict who sees what when
    they request a chunk of data formatted using JSON, then you have to
    enforce that in the code that's processing the request for data using
    another mechanism. And that mechanism depends on how your clients ask
    for JSON data, and what code is serving or generating the JSON data.
    Michael Torrie, May 24, 2013
    #3
  4. Peter Brooks

    Peter Brooks Guest

    On May 24, 6:42 pm, Michael Torrie <> wrote:
    > On 05/24/2013 02:18 AM, Peter Brooks wrote:
    >
    > > I'm designing a system that should allow different views to different
    > > audiences. I understand that I can use application logic to control
    > > the access security, but it seems to me that it'd make more sense to
    > > have this documented in the data-stream so that it's data-driven.

    >
    > > I was wondering if there was any standard way of doing this in JSON.
    > > Alternatively, is there a better way of organising this in Python
    > > that's compatible with JSON?

    >
    > While I don't understand exactly what you're using JSON for, and nor do
    > I understand the purpose of the JSON structure you posted, I can say
    > that ACLs have nothing to do with JSON.
    >
    > JSON is simply a data markup format, like HTML, XML, plain text, or an
    > INI file.  It's merely data.  If you want to restrict who sees what when
    > they request a chunk of data formatted using JSON, then you have to
    > enforce that in the code that's processing the request for data using
    > another mechanism.  And that mechanism depends on how your clients ask
    > for JSON data, and what code is serving or generating the JSON data.
    >

    Yes, you're right, I know that. However, I want the permissions
    embedded in the data so that it's easy to verify, from the data, who
    has access to which objects. The reason is to enforce transparency of
    the access rights and to make them easy to grant and change without
    needing to make any coding changes.

    My question was whether anybody had taken a similar approach and found
    a way that worked well with python or, even better, if there was a
    standard way of doing this.

    If nobody has done this, then I'm happy to invent my own method, but I
    don't really want to reinvent wheels that might have been nicely
    designed already.
    Peter Brooks, May 24, 2013
    #4
  5. Peter Brooks

    Peter Brooks Guest

    On May 24, 6:13 pm, Carlos Nepomuceno <>
    wrote:
    > Not exactly what you want but you may consider Google ACL XML[1].
    >
    > If there aren't any system integration restrictions you can do what you think it's best... for now.
    >
    > [1]https://developers.google.com/storage/docs/accesscontrol#applyacls
    >

    Thank you for the reference. I specifically don't want to use XML
    itself, but I can adapt that to my purpose - great!
    Peter Brooks, May 24, 2013
    #5
  6. You welcome! Can you send me whatever you decide is best to your case?

    I'd like to have an example just in case I have to do that in the future.

    I think that approach is gonna become more prevalent in the coming years. ;)

    ----------------------------------------
    > Date: Fri, 24 May 2013 12:08:03 -0700
    > Subject: Re: Using ACLs in JSON
    > From:
    > To:
    >
    > On May 24, 6:13 pm, Carlos Nepomuceno <>
    > wrote:
    >> Not exactly what you want but you may consider Google ACL XML[1].
    >>
    >> If there aren't any system integration restrictions you can do what you think it's best... for now.
    >>
    >> [1]https://developers.google.com/storage/docs/accesscontrol#applyacls
    >>

    > Thank you for the reference. I specifically don't want to use XML
    > itself, but I can adapt that to my purpose - great!
    > --
    > http://mail.python.org/mailman/listinfo/python-list
    Carlos Nepomuceno, May 24, 2013
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    5
    Views:
    389
  2. Florian Frank
    Replies:
    0
    Views:
    238
    Florian Frank
    Jun 30, 2009
  3. sajuptpm
    Replies:
    2
    Views:
    331
    sajuptpm
    Dec 28, 2012
  4. Acácio Centeno
    Replies:
    1
    Views:
    250
    dieter
    Feb 15, 2013
  5. Bryan Britten
    Replies:
    9
    Views:
    259
    Bryan Britten
    May 28, 2013
Loading...

Share This Page