Re: Allowing users to add, but not delete, entries?

[Pierangelo Masarati <masarati@aero.polimi.it>]

Gervase Markham wrote:
> Hi,
>
> Summary: is it possible to configure access control such that users to 
> can add, but not delete, entries?

Yes, see "add" level (cfr.. "a" permission) in slapd.access(5).

p.

> Details:
>
> My planned schema has a branch:
>
> ou=tags,dc=example,dc=com
>
> The entries below this are like this:
>
> objectClass=groupOfNames
> cn=sometagname
> member=<user dn 1>
> member=<user dn 2>
> member=<user dn 3>
> ...
>
> I have worked out how to make it so users can only add and remove 
> themselves from a tag:
>
> access to dn.children="ou=tags,dc=example,dc=com" attrs=member,entry
>   # Allow people to add and remove themselves from any other tag
>   by dnattr=member selfwrite
>   # Allow anyone to read
>   by anonymous read
>
> So far so good, but I would like authenticated users to be able to add 
> new entries (tags), and add themselves as members to them, but _not_ to 
> be able to delete tags.
>
> Even better, the tag would be deletable, or even automatically removed, 
> but only if the user removed their own name and there were no more 
> members - i.e. it was empty. (I believe the member attribute is 
> mandatory in groupOfNames, and I don't want it to be impossible for 
> someone to remove their name because they are the only member!)
>
> This is difficult, because as far as I can see the "write" permission 
> does not distinguish between adding and deleting.
>
> Can someone tell me if this is possible?
>
> Thanks,
>
> Gerv