[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldap acl draft (06): browse needed ?



The current acl draft proposes an entry level permission called "browseDN" (4.2.2).  The idea behind this permssion is to able to set a 
policy saying something like "you can see this entry if you name it explicitly as the base of a search, otherwise not".

At Pittsburgh people seemed to like this permission and I agreed to do a proposal for this....however, relative
to a single "read" level permission that ignores scoping it does complicate things.  The definition of the required permissions for
search (5.2) already has to deal with a fair line up of other permssions (filter (presence and "the rest"), attribute level read, returnDN
and discloseOnError).  While providing more permssions certainly increases the flexibility of the model,
it also makes it harder to understand and administrate,  so my inclination is drop the browse permission in favour of a single "read"
permission at the entry level.

My question is do people feel strongly that the "browse" permission is required ?  If so, please propose a compelling scenario that
really needs this granularity  of control of search permissions.  I will then include this as a motivating example and propose a way to include
it in the required permssions for search.  Otherwise I intend to drop it for the 07 draft...

Rob.