Re: Access Control Requirements

["Peter O'Leary" <poleary@xxxxxxxxxxxxx>]

Arathi Balakrishna wrote:

> At the event level, we might need a "restricted" level based on user
> groups being able to view/modify the calendar, or intepret the
> "private" access level to mean "restricted".  Something that would
> come up eventually.....

My humble $.02:

Based on my experience with OfficeVision users's requirements, the important attributes at the 
event level are "Personal" and "Confidential". "Personal" events are not viewable by anyone 
other than yourself. "Confidential" events are viewable by those with a "trusted relationship" 
(I'm being deliberatly vague here) relative to you - perhaps your assistant or some other 
delegate. Events with neither of these attributes can be viewed by anyone with read access to 
your calendar store.

In implementations that I've worked on in the past, I've toyed with the idea having many more 
discrete levels of access control on events, but these just seemed to confuse the heck out of 
users. Having only one level of control, i.e. "Confidential" only, was not considered to be 
sufficient.

BTW, the same seems to be true in regards to calendar-level access also. Presenting folks with 
the tradional read/write/delete/etc. flags often causes confusion. By far the two most common 
levels of access are (expressed from a user's point of view): "Fred is my assistant and he 
needs to be able to do anything to my calendar that I ask him to" and "I'd like everyone in my 
workgroup (or company) to be able to browse my calendar, but not modify it".

In short: I definately think that access control should be defined, but kept as simple as 
possible.

Pete.