[Date Prev][Date Next] [Chronological] [Thread] [Top]

aci-model-04: GetEffectiveRights Contol/Operation needsoptional? <attributeString>



I sent this out at the tail end of the most recent ldapext list failure.  Since I got no responses, I am assuming that it never really got out.  I'm looking forward to your comments.
―-------------------------------------
As I understand the GetEffectiveRights request control and operation request, there is no way to specify what attribute(s) you want rights computed for.

This has several disadvantages.
1)  It implies that the response control or operation response should return information about all rights.
2)  This may be a lot to compute.
3)  It will be a lot to put on the wire because every possible attribute will have to be named explicitly (unless we arrange for the developer to interpret the interaction of [all] and named attributes)
4)  It means the developer must parse through extra (most likely unwanted) information to get to the bits (pun intended) he really wants.
5)  The requestor may not have rights to see some portion of all the rights and thus insuffcientRights must be returned and he would not even be able to see even the portion he does have rights to see.

I believe the developer should be able to specifically request
1)  [entry] rights--Add, Delete, EditDn
2)  [all] rights--default attribute rights, Read, Write, Search, Compare (RWSC)
3)  "specific attribute" rights--rights for a named attribute, RWSC
<enter_dreamstate>
4)  [existing attributes] rights--rights for attributes that actually exist on the object, RWSC
5)  [legal attributes] rights--rights for attributes that may not exist on the object but that would be legal to put on the object, RWSC
</enter_dreamstate>
6)  Any combination of the above

I would be willing to forgo 4) [existing attributes] and/or 5) [legal attributes] if there are objections to them.

I propose changing getEffectiveRights Request Control to
(only changing the portion needed to implement this posting)

getEffectiveRightsRequest::= SEQUENCE {
  effectiveRightsRequest  SEQUENCE OF SEQUENCE {
    rightsFamily  LDAPOID | "*",
    whichObject  ENUMERATED {
      LDAP_ENTRY (1),
      LDAP_SUBTREE(2)
    },
    whichAttributes  SEQUENCE OF {
      whichAttribute  "[entry]" | "[all]" | LDAPString | "*"
    },
    dnType  "access-id" | group" | "role" | "*",
    subjectDN  LDAPString,
  }
}

In whichAttribute [entry], [all], LDAPString correspond to 1), 2), and 3) above.
"*" should be either 4) or 5) (I'd like some discussion here).

Similarly I propose that whichAttributes be added to the "updates" field of "requestValue" of "ldapGetEvvectiveRightsRequest" of LDAP Get Effective Rights Operation.

--the walrus
a.k.a. Brian Jarvis
bjarvis@novell.com 



BEGIN:VCARD
VERSION:2.1
X-GWTYPE:USER
FN:Brian Jarvis
TEL;WORK:801-861-3856
ORG:;NDS Administration
TEL;PREF;FAX:801-861-2292
EMAIL;WORK;PREF;NGW:BJARVIS@novell.com
N:Jarvis;Brian
TITLE:Engineer
ADR;INTL;WORK;PARCEL;POSTAL:;PRV-F221;122 E 1700 S;Provo;UT;84606;USA
LABEL;INTL;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Brian Jarvis=0A=
PRV-F221=0A=
122 E 1700 S=0A=
Provo, UT  84606=0A=
USA
LABEL;DOM;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Brian Jarvis=0A=
PRV-F221=0A=
122 E 1700 S=0A=
Provo, UT  84606
TEL;HOME:801-226-6636
TEL;PREF:801-861-3856
X-GWUSERID:BJARVIS
END:VCARD