Rails - Jul 2006 - Best place for authorization management tool?

Hi all,

I''m sitting on a home-brew rule-based authorization system that
I''d
like to release as open source.  Its current interface is either the  
console or raw SQL though, which makes things pretty unfriendly, so I  
was wondering just what would be the most idiomatic interface to such  
a system.  I was envisioning a "authorization console" in script/  
that might work like so:

     $ ./script/authzcon production
     >> allow */* for bob with priority 0
     >> deny */destroy from bob with priority 1
     >> allow vendors/destroy for bob with priority 10
     >> flush

Above, rules are controller/action pairs (permitting wildcards), and  
each rule is assigned a priority (so above bob could do everything  
except destroy anything other than vendors).  Denials outrank  
allowances of the same priority.  To see if a certain action is  
allowed for the current ruleset, one could query a controller/action  
pair, or list out all the current rules:

     >> query employees/destroy for bob
     Denied
     >> query vendors/destroy for bob
     Allowed
     >> list rules for bob
     10  Allow  vendors/destroy
     1   Deny   */destroy
     0   Allow  */*

Anyway, the syntax above was completely off-the-cuff, so please  
ignore it should you find it abrasive.  I was more interested in  
hearing whether this sort of tool would make any sense, and if so,  
whether the tool would belong in script/.  Also, please let me know  
if something similar already exists -- I don''t follow Rails or the  
community too closely.

Thanks!

--
Nick Murphy
Scientific Programmer
Department of Plant Sciences
University of Arizona

Hi all,

I''m sitting on a home-brew rule-based authorization system that
I''d
like to release as open source.  Its current interface is either the  
console or raw SQL though, which makes things pretty unfriendly, so I  
was wondering just what would be the most idiomatic interface to such  
a system.  I was envisioning a "authorization console" in script/  
that might work like so:

     $ ./script/authzcon production
     >> allow */* for bob with priority 0
     >> deny */destroy from bob with priority 1
     >> allow vendors/destroy for bob with priority 10
     >> flush

Above, rules are controller/action pairs (permitting wildcards), and  
each rule is assigned a priority (so above bob could do everything  
except destroy anything other than vendors).  Denials outrank  
allowances of the same priority.  To see if a certain action is  
allowed for the current ruleset, one could query a controller/action  
pair, or list out all the current rules:

     >> query employees/destroy for bob
     Denied
     >> query vendors/destroy for bob
     Allowed
     >> list rules for bob
     10  Allow  vendors/destroy
     1   Deny   */destroy
     0   Allow  */*

Anyway, the syntax above was completely off-the-cuff, so please  
ignore it should you find it abrasive.  I was more interested in  
hearing whether this sort of tool would make any sense, and if so,  
whether the tool would belong in script/.  Also, please let me know  
if something similar already exists -- I don''t follow Rails or the  
community too closely.

Thanks!

P.S. Sorry if this is a repost, but I was having some issues with the  
list yesterday.

--
Nick Murphy
Scientific Programmer
Department of Plant Sciences
University of Arizona