[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
aci-model-04: GetEffectiveRights Contol/Operation needs optional? <attributeString>
As I understand the GetEffectiveRights request control and operation request, there is no way to specify what attribute(s) you want rights computed for.
This has several disadvantages.
1) It implies that the response control or operation response should return information about all rights.
2) This may be a lot to compute.
3) It will be a lot to put on the wire because every possible attribute will have to be named explicitly (unless we arrange for the developer to interpret the interaction of [all] and named attributes)
4) It means the developer must parse through extra (most likely unwanted) information to get to the bits (pun intended) he really wants.
5) The requestor may not have rights to see some portion of all the rights and thus insuffcientRights must be returned and he would not even be able to see even the portion he does have rights to see.
I believe the developer should be able to specifically request
1) [entry] rights--Add, Delete, EditDn
2) [all] rights--default attribute rights, Read, Write, Search, Compare (RWSC)
3) "specific attribute" rights--rights for a named attribute, RWSC
<enter_dreamstate>
4) [existing attributes] rights--rights for attributes that actually exist on the object, RWSC
5) [legal attributes] rights--rights for attributes that may not exist on the object but that would be legal to put on the object, RWSC
</enter_dreamstate>
6) Any combination of the above
I would be willing to forgo 4) [existing attributes] and/or 5) [legal attributes] if there are objections to them.
I propose changing getEffectiveRights Request Control to
(only changing the portion needed to implement this posting)
getEffectiveRightsRequest::= SEQUENCE {
effectiveRightsRequest SEQUENCE OF SEQUENCE {
rightsFamily LDAPOID | "*",
whichObject ENUMERATED {
LDAP_ENTRY (1),
LDAP_SUBTREE(2)
},
whichAttributes SEQUENCE OF {
whichAttribute "[entry]" | "[all]" | LDAPString | "*"
},
dnType "access-id" | group" | "role" | "*",
subjectDN LDAPString,
}
}
In whichAttribute [entry], [all], LDAPString correspond to 1), 2), and 3) above.
"*" should be either 4) or 5) (I'd like some discussion here).
Similarly I propose that whichAttributes be added to the "updates" field of "requestValue" of "ldapGetEvvectiveRightsRequest" of LDAP Get Effective Rights Operation.
--the walrus
a.k.a. Brian Jarvis
bjarvis@novell.com