[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)

To: ando@sys-net.it
Subject: Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 04 Apr 2005 12:30:56 -0700
Cc: "Howard Chu" <hyc@symas.com>, openldap-devel@OpenLDAP.org
In-reply-to: <3610.151.29.219.164.1112641922.squirrel@151.29.219.164>
References: <200504020834.j328Y8WM008484@boole.openldap.org> <424E9AE0.2090203@sys-net.it> <6.2.1.2.0.20050402080426.072eef80@mail.openldap.org> <424ECED5.6010309@sys-net.it> <6.2.1.2.0.20050402090705.0278b3b8@mail.openldap.org> <424F14B9.9050306@symas.com> <424F1949.60301@sys-net.it> <424F28EC.7050001@symas.com> <424F29BC.3070803@sys-net.it> <424F3B3C.1010703@symas.com> <6.2.1.2.0.20050402181741.066d0b08@mail.openldap.org> <424F907B.7010609@sys-net.it> <6.2.1.2.0.20050403103607.08fb1c80@mail.openldap.org> <42515D2E.7030308@sys-net.it> <6.2.1.2.0.20050404085147.02fea068@mail.openldap.org> <42516552.8050105@sys-net.it> <6.2.1.2.0.20050404092145.026fd9e0@mail.openldap.org> <3610.151.29.219.164.1112641922.squirrel@151.29.219.164>

In your patch, it appears that modify/replace only requires
add.  However, as modify/replace deletes existing values,
it should require delete as well.

Kurt

At 12:12 PM 4/4/2005, Pierangelo Masarati wrote:
>> What I was trying to ask is, what's driving this?  The
>> desire to control entry add/deletes or the desire to
>> control attribute add/deletes.  "Both" is a reasonable
>> answer.
>
>My personal driver was the capability to separate the permission to add
>entries from that to delete them; so that separate identities may be
>needed for entry addition and entry deletion.  As a side effect, the very
>same approach allows to separate the capability to add and delete
>attribute values.  This is what the implementation in my patch does.  I
>think the capability to separate attribute value addition and deletion may
>add some value to slapd's capability.  It is my intention, if this appears
>to work fine, to extend the capability to other backend types and to other
>access checking approaches (i.e. ACIs).
>
>p.
>
>-- 
>Pierangelo Masarati
>mailto:pierangelo.masarati@sys-net.it
>
>
>    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: More granular privileges in ACLs (now ITS#3631)
  - From: Pierangelo Masarati <ando@sys-net.it>

References:
- More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Howard Chu <hyc@symas.com>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Howard Chu <hyc@symas.com>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Howard Chu <hyc@symas.com>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
Next by Date: Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
Index(es):
- Chronological
- Thread