1 files changed, 115 insertions, 0 deletions
diff --git a/rt/docs/design_docs/delegation b/rt/docs/design_docs/delegation
new file mode 100644
index 000000000..0e5705907
--- /dev/null
+++ b/rt/docs/design_docs/delegation
@@ -0,0 +1,115 @@
+Group ACLs
+        
+        the rights:
+
+
+        CreatePersonalGroup
+        CreateGroup
+
+        AdminGroup
+                * Update group metadata and access control list
+        AdminGroupMembers
+                * Add ad delete members of this group
+        ModifyOwnMembership
+                * Join and quit this group
+
+
+        the primitives:
+       
+In user.pm
+
+=item HasRight  { Right => 'somerightname', ObjectType => 'Group', ObjectId => 'GroupId'
+
+        Returns true if this user has the right 'somerightname' for
+the group with id 'Id'
+
+=cut
+
+
+=item RightsForObject { ObjectType => 'Group', ObjectId =>'GroupId' }
+
+in users.pm
+
+=item WhoHaveRight { Right =>'somerightname', ObjectType => 'Group', ObjectId => 'GroupId' }
+
+
+        Finds all users who have the right 'somerightname' for the group
+in question.
+
+        If a user has "AdminGroupMembers" globally and we ask about 
+        group 23, that user should be found.
+
+=cut
+
+Users must be able to delegate individual rights 
+
+        * Is it that users can delegate any and all rights but it's
+        only rights they _have_ which actually grant rights.
+
+rights must not be redelegated
+
+users must be able to create groups to which rights can be delegated.
+
+Only users who have the "delegate rights" right can delegate rights.
+
+
+When a user's right to do something is revoked, the delegation must 
+be revoked
+
+        * For any delegated ACL check, the delegator's right must be 
+          checked immediately after the delegatee's right.
+          If a user has had a right delegated by multiple parties, 
+          this may mean that we need to actually loop through and check
+          a bunch of possible delegations. Or can we craft a "has delegated 
+          right" ACL check.
+          
+
+
+
+
+
+
+ACL 1 Group Q has the right to Frob ObjectI.
+ACL 2 User A has the right "DelegateRights"
+
+Group Q has the member Group S
+Group S has the member Group R
+Group S has the member Group T
+Group R has the member user A
+Group T has the member user A
+
+User A delegates to  Group P the right to Frob  ObjectI
+
+        New ACL rule:
+
+        ACL 3: Group P has the right to Frob ObjectI 
+                     as delegated from ACL1 by User A
+
+
+In the case where ACL1 is revoked:
+
+        find all acls which are delegated from ACL1.
+                Delete them
+
+In the case where User A is removed from group R
+
+        Get the list of all groups that A was in by way of group R before the removal
+        Get the list of all groups that A is in _after_ the removal.
+
+        Find all the ACEs granted to each group that A is no longer in.
+        For each ACE in that list, find all the rights that A has delegated.
+                Whack them.        
+
+In the case where Group S is removed from group Q
+
+
+        Get a list of all groups that S was in by way of Q before the removal
+        Call this list O.
+
+        For each user X who's a member of S (directly or indirectly):
+        Get a list of  all groups that X is in after removal.
+        For each group in O that X is no longer a member of:
+                Find all ACEs granted to O
+                For each ACE, look up all the delegations that X has made.
+                        For each delegation 
+                                WHACK IT