[Date Prev][Date Next] [Chronological] [Thread] [Top]

reverse membership and permissions



  I'm curious about the intended permissions model for reverse
  group membership:

    http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membership%20Maintenance

  Consider the case where a user should only have write access to
  their own attributes and a friends groups to which they can add
  their friends. The reverse group membership overlay is used to
  propogate `memberOf` of attributes to all the users that they
  add to their group of friends. We do it this way because
  'denormalizations' of this kind are helpful for query
  efficiency.

  For this application, it seems right for the overlay to
  propogate changes that a user does not have permission to
  execute themselves -- we don't have to let a user know who
  anybody else's friends are, for example; nor can they change
  that attribute.

  If this can be added, it'd be great. If it's already possible,
  I'd appreciate it if it were part of the documentation.

-- 
_jsn