Re: Controlling access based on group membership

[Nick Milas <nick@eurobjects.com>]

On 22/2/2012 6:27 ÎÎ, Nick Milas wrote:

> Can someone more experienced with sets, please comment on it (confirm 
> or correct it)? 

I have tried to make it more precise. So, assuming the schema is as 
follows (OIDs are hypothetical), can someone comment on the following 
(modified accordingly) access list?

Thanks,
Nick

============= ACL =======================

 access to <some entries> <some attributes>
       by set="this/writeAccessEntities/member* & user" write
       by set="this/readAccessEntities/member* & user" read
       by set="this/searchAccessEntities/member* & user" search

============= Schema ====================

attributetype ( 4.3.6.1.4.1.50000.4.1.11
  NAME 'writeAccessEntities'
DESC 'DNs of Groups which should be allowed write (full) access to this 
entry'
  SUP distinguishedName )

attributetype ( 4.3.6.1.4.1.50000.4.1.12
  NAME 'readAccessEntities'
DESC 'DNs of Groups which should be allowed read (read-only) accessto 
this entry'
  SUP distinguishedName )

attributetype ( 4.3.6.1.4.1.50000.4.1.13
  NAME 'searchAccessEntities'
DESC 'DNs of Groups which should be allowed search (search-only) 
accessto this entry'
  SUP distinguishedName )

objectclass ( 4.3.6.1.4.1.50000.4.2.101
  NAME 'entryAccessEntities'
  DESC 'Allow access to the entry, to which this class is added, to the 
entities specified as the values (DNs) of this class attributes'
  SUP top AUXILIARY
  MAY ( writeAccessEntities$ readAccessEntities$ searchAccessEntities) )

========================================