[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACM permission

To: "ietf-ldapext@netscape.com" <ietf-ldapext@netscape.com>
Subject: ACM permission
From: Mark Davidson <markd@pwd.hp.com>
Date: Fri, 06 Jul 2001 13:43:39 +0100
Organization: Hewlett-Packard

I have been thinking about simplifying the permissions 
in the ACM and also adding permissions for controls. How
about:

permissions for attributes: read, modify, create, delete
permissions for entries: read, modify, create, delete

and add control OID ass a possible target with a permission
of use

so:

    ACI = rights "#" target "#" generalSubject

    permission = "r" / ; read
                 "m" / ; modify
                 "c" / ; create
                 "d" / ; delete
                 "u"   ; use
    ; permission u can only be used on controls

    target = "[all]" / "[entry]" / (attribute *("," attribute)) /
         "[controls]" / (controlType *("," controlType))

    controlType is defined in RFC2251


Granting these permissions allows:

Entry read - allows access to DN
Entry modify - can change DN
Entry create - can create an entry below this entry
Entry delete - can delete this entry

Attribute read - can read attribute 
Attribute modify - can modify replace attribute values
Attribute delete - can modify delete attribute values
Attribute create - can modify add attribute values

Control use - can use control where aci is active (this
              replaces the g permission in a more
              general way)


This does not give quite the same detailed level of
control as the current scheme, but is much easier
to understand from an administration point of view,
rather that a protocol point of view.

Mark

Follow-Ups:
- Re: ACM permission
  - From: robert byrne <robert.byrne@Sun.COM>

Prev by Date: Re: increasing complexity - draft-ietf-ldapext-acl-model-08.txt
Next by Date: Re: increasing complexity - draft-ietf-ldapext-acl-model-08.txt
Index(es):
- Chronological
- Thread