| 7 | | In fact, access control has to center on projects. Resources like data files belong to projects not users. Roles would be role types expressed in the context of a given project. Controlling access might involve not granting access to a user that once was a member of a project, and in fact ran the experiment that created the data file in question, but no longer is a member. Controlling access also would be a way to limit or cease work on a project if need be. |
| 8 | | |
| 9 | | It is assumed that all members of a given project can see all of that project's scripts, programs and data, but not all scripts, programs and data belonging to each member of the project. |
| 10 | | |
| 11 | | The privileges of users and of projects has made more explicit on the ORBIT system. One complication is that scripts and programs are often shared across projects. Such shared resources couild be considered objects common to ORBIT, but some might want to restrict the projects with which they are shared. |
| 12 | | |
| 13 | | One rationale for using dynamic instead of static separation of duty is to not impose overburdensome restrictions on the roles allowed for a few users on a small project. There are many small ORBIT projects. A given user might be an Adminstrator on one project and just a User on two others. Dynamic separation of duty allows a user to act in two conflicting roles on a single project at two different times. |
| | 7 | One rationale for using dynamic instead of static separation of duty is to not impose overburdensome restrictions on the roles allowed for the few users on a small project. There are many small ORBIT projects. A given user might be an Adminstrator on one project and just a User on two others. Dynamic separation of duty allows a user to act in two conflicting roles on a single project at two different times. |
