[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Comments on Access Control Model draft - grant/deny evaluation rules
: From Kurt@OpenLDAP.org Wed Apr 4 12:09:29 2001
: To: rvh@qsun.mt.att.com (Richard V Huber)
: From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
: Subject: Re: Comments on Access Control Model draft - grant/deny
: evaluation rules
: Cc: ietf-ldapext@netscape.com
:
: At 02:14 AM 4/4/01 -0400, Richard V Huber wrote:
: >: >Some of the things that I don't think are clear in the current draft:
: >: >
: >: > - Groups and roles may contain other groups and roles. Subtrees may
: >: > contain groups and roles. Since groups, roles, and subtrees are of
: >: > different precedence, the interactions need to be spelled out.
: >:
: >: I would recommend that subtrees, groups and roles not be
: >: recursively evaluated.
: >
: >If groups and roles are not recursively evaluated, I think that the
: >principle of least surprise will be violated - it won't work the way
: >people expect it to.
:
: Maybe David or someone from the X.500 crowd could comment on
: why X.500 does not recursively evaluate groups and roles their
: ACM.
I'd like to hear it. There are cases that come up frequently in my
life (e.g. tiered support organizations) where nested groups are really
important and useful as a way to control administrative overhead and
reduce the chances of making security mistakes. Of course, like most
useful tools, nested groups can be misused.
: X.500(93):
: nested groups are not supported when evaluating access controls.
:
: I note that recursive evaluation could be quite expensive.
Yes it could. But only if you use it in a way that MAKES it
expensive. It is not expensive for people who do not use nesting or
are careful about nesting.
Rick Huber