[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Granting rights based on relationships

To: Mark Valence <kurash@sassafras.com>
Subject: Re: Granting rights based on relationships
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 07 Jun 2000 13:01:49 -0700
Cc: openldap-devel@OpenLDAP.org
In-reply-to: <v0422080eb564519769cd@[192.168.0.8]>
References: <3.0.5.32.20000607114044.00942b50@infidel.boolean.net> <3.0.5.32.20000602083416.0096cb70@infidel.boolean.net> <3.0.5.32.20000602083416.0096cb70@infidel.boolean.net> <3.0.5.32.20000607114044.00942b50@infidel.boolean.net>

At 03:41 PM 6/7/00 -0400, Mark Valence wrote:
>While we're talking about ACLs and ACIs, here's what I'd like to be 
>able to do.  I'd like to grant rights based on (dynamic) 
>relationships between the subject and the object.  Like grant access 
>to my boss's secretary, or to all my brother's children.  My boss 
>might change, or his secretary might change, so I don't want to 
>hard-code a DN.  Likewise, my brother might have a new kid, I don't 
>want to have to update my list (or use a group) when his object 
>contains this info.

Something like:

access to dn="cn=me..." attrs=entry,title
 by dnattr=manager/secretary write
 by dnattr=brother/children read

Follow-Ups:
- Re: Granting rights based on relationships
  - From: Mark Valence <kurash@sassafras.com>

References:
- Re: ACI syntax
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: ACI syntax
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Granting rights based on relationships
  - From: Mark Valence <kurash@sassafras.com>

Prev by Date: Re: ACI syntax
Next by Date: Re: Granting rights based on relationships
Index(es):
- Chronological
- Thread