[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Comments on Access Control Model draft - grant/denyevaluation rules
I also believe the ability to evaluate nested groups is something that
directory users would expect to be able to do and would eventually
request--and so is important for the ACM.
On the implementation side I think caching group membership is a
workable solution that would give acceptable performances.
Rob.
Bruce Greenblatt wrote:
>
> >:
> >: Maybe David or someone from the X.500 crowd could comment on
> >: why X.500 does not recursively evaluate groups and roles their
> >: ACM.
> >
> >I'd like to hear it. There are cases that come up frequently in my
> >life (e.g. tiered support organizations) where nested groups are really
> >important and useful as a way to control administrative overhead and
> >reduce the chances of making security mistakes.
>
> I strongly agree. Nested groups are very useful. If an LDAP server
> supports the Access Control Model, and it supports nesting of groups, then
> it certainly ought to support nesting of groups when evaluating access
> controls. This is one of the strong points of using LDAP to store access
> control information.
>
> >: X.500(93):
> >: nested groups are not supported when evaluating access controls.
> >:
>
> ==============================================
> Bruce Greenblatt, Ph. D.
> Directory Tools and Application Services, Inc.
> http://www.directory-applications.com