[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: delete permission



David / Bruce,

I think the ldap model should use delete in the X.500 sense - the object
must be a leaf entry.

However, subtree delete becomes interesting if/when we decide to
surface the scope of ACI (entry/subtree) via your entryACI / subtreeACI
proposal.  At that point in time, then the expired subtree drafts become
interesting because you have a way actually invoke the subtree operation
and apply access control to the operation.

Comments?

Ellen


At 06:21 PM 7/18/00 +0100, David Chadwick wrote:

>
> >iii) delete this entry permission. What happens if the entry has
> >subordinates. Are permissions needed for the subordinates or not. The
> >text is mute on this point, although it does mention that no
> >permissions are needed on attributes in the entry.
>
> (EJS)  The intent here was to provide the same semantic as X.500.
> However, I think we may have missed the point you mention about
> subordinates.  It seems to me that if you the entry you're deleting is
> a leaf entry, then no problem.  If there are subordinates, then you
> can't just delete an entry in the middle of the DIT, but also need
> permisison to delete each subordinate.  What does X.500 do?

X.500 does not have this problem as only leaf entries can be
removed. LDAPv3 basic only allows leaf entries to be deleted, but
there was talk of having an operation to delete full subtrees. I dont
know the status of this, do you?

David

***************************************************

David Chadwick
IS Institute, University of Salford, Salford M5 4WT
Tel +44 161 295 5351  Fax +44 161 745 8169
Mobile +44 790 167 0359
Email D.W.Chadwick@salford.ac.uk
Home Page  http://www.salford.ac.uk/its024/chadwick.htm
Understanding X.500  http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string MLJ9-DU5T-HV8J

***************************************************