[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL redundancy
I've got a kind of ugly annoying ACL problem I can't seem to get my
head around solving ...
We've got our users, inactive users, addressbooks etc all under ou=contacts ie:
ou=users,ou=contacts
ou=inactive_users,ou=contacts
ou=clients,ou=contacts
The conditions the ACL needs to meet (below example isn't there yet).
* A user can edit some of their own attributes
* A member of the studio group can edit all of above + a few extra attributes
* A member of the tech group can edit pretty much anything
* Different "address books" can be made viewable only by certain
groups (not implemented yet pretty easy though access to
dn.children="ou=users,ou=contacts,dc=rsp,dc=com,dc=au" by group blah
write by group otherblah read by * none)
My problem at the moment is the amount of duplication of the who
rules. Also that I don't necessarily want to give the studio group
access to edit anything in say ou=clients,ou=contacts but I do want to
for ou=users,ou=contacts - mixing and matching the whats is kinda
doing my head in :-) almost need a way to have a what that id both
dn.children and attrs but that doesn't seem to be allowed ...
access to attrs="telephoneNumber,l,mobile,mozillaSecondEmail,homePostalAddress,displayName"
by group="cn=tech,ou=authgroups,dc=rsp,dc=com,dc=au" write
by group="cn=studio,ou=authgroups,dc=rsp,dc=com,dc=au" write
by self write
by * read
access to dn.children="ou=users,ou=contacts,dc=rsp,dc=com,dc=au"
by group="cn=tech,ou=authgroups,dc=rsp,dc=com,dc=au" write
by group="cn=studio,ou=authgroups,dc=rsp,dc=com,dc=au" write
by * read
access to *
by * read
Any help in "simplifying" this is greatly appreciated as this is only
the beginning of stuff I'm being asked to implement :-)
TIA
Shane.