[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: expansion of groups/roles/subtree subjects in LDAP ACM
At 07:25 AM 7/9/2001, robert byrne wrote:
>Kurt,
>
>I think what's needed here is for the draft to specify that, if the
>evaluation of any part of the subject fails, then the subject part of
>that aci does not apply. So we can change the intro to 4.3.2.4 to
>something like:
>
>"4.3.2.4 Applicability Rules for Subjects
>
>Call the subject portion of the ACI in question aciSubject. Then to
>determine if aciSubject applies to requestorSubject we apply the
>following rules. In the case where the server fails to evaluate a
>rule and so fails to fully confirm that aciSubject applies, then
>aciSubject does not apply."
I believe that rules for expansion of subjects should be
consistent with X.501(93), 16.4.2.5 "Determining group membership".
In particular,
a) A DSA is not required to perform a remote operation to determine whether the
requestor belongs to a particular group for the purposes of Basic Access Control.
If membership in the group cannot be evaluated, the DSA shall assume that the
requestor does not belong to the group if the ACI item grants the permission sought,
and does belong to the group if it denies the permission sought.
NOTE 1 ? Access control administrators must beware of basing access controls on membership
of non-locally available groups or groups which are available only through replication (and which
may, therefore, be out of date).
NOTE 2 ? For performance reasons it is usually impractical to retrieve group membership from
remote DSAs as part of the evaluation of access controls. However, in certain circumstances it
may be practical, and a DSA is permitted, for example, to perform remote operations to obtain
or refresh a local copy of a group entry or use the Compare operation to check membership
prior to applying this clause.
I believe (b) makes sense as well, but that's another thread.