[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL : give a user the right to create objects, but to modify only those he created

François Beretti wrote:

Hallvard B Furuseth wrote:

François Beretti writes:


I want to give my users the right to create objects of a given class, without giving them the right to modify those created by other users
For the second part I can use the creatorsName attribute, but I don't know how I can make a deifference between the right to create an entry and the right to modify it.


See OPERATION REQUIREMENTS in slapd.access(5):

    The add operation requires  write  (=w)  privileges  on  the
    pseudo-attribute  entry  of the entry being added, and write
    (=w) privileges on  the  pseudo-attribute  children  of  the
    entry's parent.

    The modify operation requires write (=w) privileges  on  the
    attibutes being modified.



According what you say, the right to add an entry implies the right to modify it and to delete it.
So if every user can create these entries, then every user can delete it.

No, to add an entry you need write permission on the pseudo-attribute "entry" of the entry and on the pseudo-attribute "children" of the parent; to modify an entry's attrs you need "write" permission on the attrs; so, entry add/delete and attribute modify permissions are orthogonal.

Furthermore, if you want __ONLY__ the creator to be allowed to delete an entry, e.g. allow members of "cn=bar,dc=foo" group to append children to "dc=foo", but only allow the creator to modify and delete it, you can use:

# members of "cn=bar" can create children of "dc=foo"
access to dn.exact="dc=foo" attrs=children
   by group.exact="cn=bar,dc=foo" write

# only the creator can modify and delete them
access to dn.onelevel="dc=foo" attrs=entry,@extensibleObject
   by set="this/creatorsName & user" write
   by * read

p.




   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497