[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Global ACLs - Impacts access control and SLAPI (ITS#3100)



At 06:12 AM 4/20/2004, ando@sys-net.it wrote:
>> I don't think it is broke, but intended behavior:
>>
>> If their are global acls, they apply to all databases
>> after any db acls.  If the db has no acls, global acls
>> are used.
>>
>> If the target is not within any database, acls of
>> first database (then global acls) apply.
>>
>> It's been this way for many years (long before SLAPI).
>
>I'll revert in a moment.  My concern was that
>when addressing rootDSE or cn=subschema, I had
>to run thru the first database rules, which is
>counterintuitive; wouldn't it be better to
>address this specifical case by short-circuiting
>to global_acl?

Then they wouldn't be global acls.  They'd be
acls which applied to objects outside of all
databases.  While it might make sense to have
a set of ACLs which applied to this set of
objects, it is different set concept than
intended.

(Note that global ACLs were invented before there
was a root DSE or cn=subschema.)

Kurt