Is that extra complexity really useful?
Access control is a security requirement of Tizen IVI.
Can I relax access and allow a set of apps sharing the identity? I
noticed a "security context" parameter in the API. Currently I am
passing NULL there.
Yes you can. Each identity includes an access control list of executable paths that are
allowed to use it (the creator of the identity is added there by default). When you create
and store an identity, add all the executables that will use it to the ACL (the creator of
the identity can also update the list later). On Tizen, SMACK labels are used instead.
The app security context parameter is for supporting access control in runtimes, where the
runtime is passing the name of the script it's executing through that parameter, so
the access control module has both the name (or SMACK label) of the runtime and the script
I also don't understand how that fits with the single
that gets stored in accounts (see discussion with Alberto). That means
that there is a single signond identity that all apps using a certain
provider (not service!) are meant to use. Won't that fail when there is
a per-app access control on the identity?
It won't fail if they're on the ACL :)