Responding to the group with Roberts permission. (there's a pun in there somewhere)
On Mar 31, 2015, at 11:55 AM, Robert Panzer <robert.panzer_at_me.com> wrote:
> I wanted to tell you how much I liked your presentation!
> It was really super interesting and it gave valuable insights into the process how the standards are defined.
> In particular that you had multiple members of the EG on stage was an awesome idea!
Great to hear. I think having multiple voices helped people feel encouraged to use their voice. This of course is really wonderful. Expert groups can be perceived as too Ivory Tower and not accessible and I think this goes a long way to combat that.
> And I would certainly like to tell you how I think about that:)
>
> Well, the default examples that are presented in the specs and tutorials are most of the time roles like „monitor“, „administrator“ and „operator“ or sth like that.
> I find that it does not really match the reality that I work with everyday.
That's precisely the kind of feedback we need. Interested in cooking up a more realistic representation in the examples project?
-
https://github.com/javaee-security-spec/javaee-security-examples
Doesn't need to run, but would be good to paint a better picture of what people are actually doing. Incredibly valuable at this stage.
I made a comment to someone else in attendance that collecting use cases is perhaps the most critical thing we can do right now. The more the better. They'll help us focus our decisions and let everyone see how we arrive at our eventual end product.
I will say having participated in EGs for a few years it's common for the motivation for a specific feature or decision to be "eaten by time" and eventually no one or very few people will remember the details behind the end result.
> I really appreciated the idea of having permissions instead of roles.
> The software I work on in my closed source life (sigh) uses permissions as well.
> But permissions as we treat them are always with respect to some entity.
> So a user may watch for instance the business journal of the branch in New York and not the journal of the branch in Boston.
> And in the end a permission without an object it relates to it’s in fact a role that you name differently, and you probably have more permissions than roles.
>
> (In the wording of our application a role is an aggregation of permissions/rights so that you can quickly attach a commonly used set of permissions to a user.)
Jan (Cc'ed) had similar feedback. Basically saying "roles are not useful" and "permissions are king". He also had a specific standard in mind.
Jan, do have any info?
-David