[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL access decision question
Date forwarded: Fri, 13 Oct 2000 05:18:03 -0700 (PDT)
Date sent: Fri, 13 Oct 2000 06:17:41 -0600
From: "Haripriya S" <SHARIPRIYA@novell.com>
To: <ietf-ldapext@netscape.com>
Subject: ACL access decision question
Forwarded by: ietf-ldapext@netscape.com
Haripriya
I have already raised a similar issue with Ellen. My point is that the
aci should be ordered in a precedence order and then you move
down the list for the particular operation you are evaluating. If it is a
modify operation, then the aci2 would be used to grant permission
to add values (but not remove them), and if it is a search operation
you are evaluating, then aci1 would be used to grant read
permission to attrname
David
> Hi,
>
> The ACL model draft says that more specific functions should override
> less specific ones, and deny overrides grant. Also, it says
> specificity applies to both subject and attributes.
>
> Now given two ACIs for a target entry:
>
> aci1: entry#grant:r#attrname#group:cn=g1,o=n
> aci2: entry#grant:w#[all]#authzID-dn:cn=u1,o=n
>
> If u1 belongs to group g1, which aci takes precedence?
> aci1: because attrname is more specific than [all] or
> aci2: because authxID-dn is more specific than group
>
> What happens if one is grant:w and another is deny:w in the above
> case?
>
> What is the precedence relation between various dimensions of ACIs:
> scope, target specificity, subject specificity, attribute specificity,
> and grant/deny.
>
> Thanks and Regards,
> Haripriya
>
***************************************************
David Chadwick
IS Institute, University of Salford, Salford M5 4WT
Tel +44 161 295 5351 Fax +44 161 745 8169
Mobile +44 790 167 0359
Email D.W.Chadwick@salford.ac.uk
Home Page http://www.salford.ac.uk/its024/chadwick.htm
Understanding X.500 http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string MLJ9-DU5T-HV8J
***************************************************