[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: "dynamic" acls
Alexander Blüm wrote:
would you have to use the groupOfNames?
I use groupOfUniqueNames, but I think groupOfNames will work fine.
could you show an example?
This is an example of one of our "dynamic" rules. You mentioned
that you would like to *suppress* access using certain rules, whereas
I generally *allow* access. It should be pretty similar, though,
except the order of things might need to change (watch the spacing
below!!):
## Branch Managers can write within their own branch
access to dn="ou=(.*),dc=xxxxx,dc=edu"
by
group/groupOfUniqueNames/uniqueMember="gn=Manager,ou=$1,dc=xxxxx,dc=edu"
write
by self write
by * read
by anonymous auth
This allows anyone in the group "gn=Manager" under any given ou to
edit any records within that ou. (Also note that the "gn" thing is
a stupid mistake which is not strictly allowed :-/)
You should be able to come up with something that has the correct
behavior and the right "dynamicness".
HTH,
JZ