Re: Granting rights based on relationships

[Mark Valence <kurash@sassafras.com>]

>  >While we're talking about ACLs and ACIs, here's what I'd like to be
>  >able to do.  I'd like to grant rights based on (dynamic)
>  >relationships between the subject and the object.  Like grant access
>  >to my boss's secretary, or to all my brother's children.  My boss
>  >might change, or his secretary might change, so I don't want to
>  >hard-code a DN.  Likewise, my brother might have a new kid, I don't
>  >want to have to update my list (or use a group) when his object
>  >contains this info.
>
> Something like:
>
> access to dn="cn=me..." attrs=entry,title
>  by dnattr=manager/secretary write
>  by dnattr=brother/children read

Yup.  An arbitrary number of "links" though, and not just starting 
from the current object.  For example, to do brother's children, 
person objects might just have "sibling" and "parent" attributes.  In 
this case, I'd need to grant access if the currently connected user's 
father was the object's (my) brother.  Obviously there are 
multi-value attribute issues here, but they are easy enough to manage.

Is this of any interest?  I can give you a full syntax if you want.

Mark.