[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: delete permission

To: "Ramsay, Ron" <Ron.Ramsay@ca.com>
Subject: RE: delete permission
From: Ellen_Stokes@tivoli.com
Date: Tue, 18 Jul 2000 23:58:35 -0500
Cc: d.w.chadwick@salford.ac.uk, ietf-ldapext@netscape.com, bgreenblatt@directory-applications.com
Content-disposition: inline




I agree...
Ellen




To:

       Ellen Stokes <stokes@austin.ibm.com>, d.w.chadwick@salford.ac.uk,
ietf-ldapext@netscape.com, bgreenblatt@directory-applications.com
cc:         (bcc: Ellen Stokes/Tivoli Systems)
Subject:        RE: delete permission



[IMAGE]
Hi,

It will always be possible for a client to recursively delete the subtree
using the usual delete of a leaf. Access controls, as discussed on this
thread, will still apply and have the expected outcome.

Ron.

-----Original Message-----
From: Ellen Stokes [mailto:stokes@austin.ibm.com]
Sent: Wednesday, 19 July 2000 7:56
To: d.w.chadwick@salford.ac.uk; ietf-ldapext@netscape.com;
bgreenblatt@directory-applications.com
Subject: Re: delete permission


David / Bruce,

I think the ldap model should use delete in the X.500 sense - the object
must be a leaf entry.

However, subtree delete becomes interesting if/when we decide to
surface the scope of ACI (entry/subtree) via your entryACI / subtreeACI
proposal.  At that point in time, then the expired subtree drafts become
interesting because you have a way actually invoke the subtree operation
and apply access control to the operation.

Comments?

Ellen


At 06:21 PM 7/18/00 +0100, David Chadwick wrote:

> >
> > >iii) delete this entry permission. What happens if the entry has
> > >subordinates. Are permissions needed for the subordinates or not. The
> > >text is mute on this point, although it does mention that no
> > >permissions are needed on attributes in the entry.
> >
> > (EJS)  The intent here was to provide the same semantic as X.500.
> > However, I think we may have missed the point you mention about
> > subordinates.  It seems to me that if you the entry you're deleting is
> > a leaf entry, then no problem.  If there are subordinates, then you
> > can't just delete an entry in the middle of the DIT, but also need
> > permisison to delete each subordinate.  What does X.500 do?
>
>X.500 does not have this problem as only leaf entries can be
>removed. LDAPv3 basic only allows leaf entries to be deleted, but
>there was talk of having an operation to delete full subtrees. I dont
>know the status of this, do you?
>
>David
>
>***************************************************
>
>David Chadwick
>IS Institute, University of Salford, Salford M5 4WT
>Tel +44 161 295 5351  Fax +44 161 745 8169
>Mobile +44 790 167 0359
>Email D.W.Chadwick@salford.ac.uk
>Home Page  http://www.salford.ac.uk/its024/chadwick.htm
>Understanding X.500  http://www.salford.ac.uk/its024/X500.htm
>X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm
>Entrust key validation string MLJ9-DU5T-HV8J
>
>***************************************************

[IMAGE]


(Embedded image moved to file: pic24227.pcx)
(See attached file: C.gif)
(See attached file: att1.eml)

Attachment: pic24227.pcx
Description: Binary data

Attachment: C.gif
Description: Compuserve GIF

Attachment: att1.eml
Description: Binary data

Prev by Date: RE: delete permission
Next by Date: Make Cash Daily!
Index(es):
- Chronological
- Thread