[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapACI permissions for ldap_modify (write)

To: Ellen Stokes <stokes@austin.ibm.com>
Subject: Re: ldapACI permissions for ldap_modify (write)
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 19 Apr 2000 11:57:15 +0200
Cc: ietf-ldapext-acm@OpenLDAP.org
In-reply-to: <4.2.2.20000417221556.00a2e830@popmail2.austin.ibm.com>

One problem with associating permissions with specific operations
and suboperations is that it becomes difficult to state how they
apply in the face of controls and extended operations.  That is,
saying that "modify" permission applies to any and all operations
which add, delete, replace or otherwise change entries is clear
and complete.  The "otherwise" implies that permission should
apply also to modifications of values requested via MODDN,
extended operations, and controls.

You can add finer grained modify permissions as long as you
ensure that all potentials requests doing updates are subject
to access controls.

At 10:20 PM 4/17/00 -0500, Ellen Stokes wrote:
> From last Tues's conference call we all agreed that the permissions
>to reflect the ability to write (ldap_modify) data needs to reflect the
>ldap_modify sub-operations of add, delete, and replace.  These new
>permissions will still remain single alphabetic characters.
>
>Since 'a' and 'd' are already taken, here's the proposed characters
>from one of my previous emails on this subject:
>
>modify / write (add)  = 'w'
>modify / del = 'o'
>modify / replace = 'o' + 'w'
>
>The write permission is broken into two permissions (add and delete)
>where replace requires both add and delete.  Proposed permissions for
>this change are 'w' for write/add and 'o' for write/delete (obliterate)
>where write/replace operation requires both w and o to be set.
>
>Ellen
>
>

References:
- ldapACI permissions for ldap_modify (write)
  - From: Ellen Stokes <stokes@austin.ibm.com>

Prev by Date: Re: Authlevel in LDAP ACI
Next by Date: Re: Authlevel in LDAP ACI
Index(es):
- Chronological
- Thread