Conversation
Notices
-
Embed this notice
Karl Fogel (kfogel@kfogel.org)'s status on Thursday, 16-Jan-2025 13:24:39 JST Karl Fogel
Is there a word for this pattern?
Some online services handle the "multiple users per organization && multiple organizations per user" situation in the following way:
A user logs in with their individual account and then chooses (typically from a menu in the upper right) which "team" they want want to currently be acting in. A team might correspond to a company, or to a department within a company, or whatever: it's some organization that the user is associated with. So instead of people logging in with a role account that represents the team, they log in as themselves and then "wear a cloak" that lets them act on the team's behalf (within whatever permissions the team admin has granted to that particular member). Naturally, a user can be associated with multiple teams, and those teams don't all have to know about each other -- maybe only the user knows them all.
Is there a name for this pattern? I'm going with "PAMT" ("Personal Account Multiple Teams") for now, but if there's already a widely-used term I'd like to know it.-
Embed this notice
bignose (bignose@fosstodon.org)'s status on Thursday, 16-Jan-2025 13:33:58 JST bignose
I know that as adopting a "role" for specific actions
and each user account can be assigned zero-to-many "role"s by some authorisation administrator.
-
Embed this notice
Karl Fogel (kfogel@kfogel.org)'s status on Thursday, 16-Jan-2025 13:33:58 JST Karl Fogel
@bignose Sure, that describes the feature. I'm looking for the label, not the description, though. Not every service supports this way of working. For those that do, I want to be able to say, for example, "Oh, Digital Ocean supports PAMT" or "FooBar Inc doesn't do PAMT, so you just have to use a role account." -
Embed this notice
soaproot (soaproot@sfba.social)'s status on Saturday, 18-Jan-2025 06:34:14 JST soaproot
@kfogel Or if you are talking about permissions specifically, Role Based Access Control (RBAC). I think being able to assign multiple roles to a user is part of RBAC, at least it is part of most RBAC systems I have worked with.
-
Embed this notice
Karl Fogel (kfogel@kfogel.org)'s status on Saturday, 18-Jan-2025 06:34:14 JST Karl Fogel
@soaproot This is technically RBAC, sure, but the trouble is that RBAC sort-of-kind-of implies assigning a user to (one or more) roles within one over-arching organization. Like, you're employed by Soulless Global MegaCorp Inc, and when you log on to the corporate network, you have certain access permisions due to having certain roles within SGMC, Inc.
PAMT is a little bit different because there isn't one authority granting the roles. The user is associated with different organizations, each of whom has their *own* organizational account within the service provider (whether that org account has its own dedicated login account or not doesn't matter), and each of those orgs might assign that user a role within their org's "area" or "domain" (or whatever you want to call it) within that service provider.
I feel like if I say "RBAC" to someone who is entirely familiar with RBAC, they're not necessarily going to think of PAMT. It's sufficiently different to need its own label. -
Embed this notice
soaproot (soaproot@sfba.social)'s status on Saturday, 18-Jan-2025 06:34:15 JST soaproot
@kfogel And you are describing the situation where the team has a visible existence (similar to a user) in the system (for example be listed as the author of a post), I take it? That is, more than just permissions. The more I think about it the more I start thinking of examples: Facebook pages, GitHub teams (especially when a team is tagged as a requested reviewer). I don't remember seeing a name, but "first class teams"? "teams as entities"?
-
Embed this notice
soaproot (soaproot@sfba.social)'s status on Saturday, 18-Jan-2025 11:19:20 JST soaproot
@kfogel I could quibble about whether a sufficiently large Soulless Global MegaCorp is more like a service provider than it is like a small company, but in ways I can only partly articulate I'm inclined to buy your characterization of it as something sufficiently different that you'd confuse people by trying to use the same terminology.
-
Embed this notice
Karl Fogel (kfogel@kfogel.org)'s status on Saturday, 18-Jan-2025 11:19:20 JST Karl Fogel
@soaproot Well, the size of SGMC doesn't matter here. It's just about the arrangement of authenticated and authorized customer entities they offer in their online service. -
Embed this notice
soaproot (soaproot@sfba.social)'s status on Saturday, 18-Jan-2025 11:19:21 JST soaproot
@kfogel Ah yes, in GitHub terms it is more like granting a user access to a repository, making a user an owner, etc, than a GitHub team. I can see why you are looking for a new term because I'm not sure what I'd call that either.
-
Embed this notice