[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (Fwd) Families, compound attributes and contexts

To: Helmut.Volpers@mch.sni.de (Helmut Volpers), ietf-ldapext@netscape.com
Subject: Re: (Fwd) Families, compound attributes and contexts
From: David Chadwick <d.w.chadwick@iti.salford.ac.uk>
Date: Wed, 16 Dec 1998 13:58:02 +0000
Cc: osidirectory@az05.bull.com
In-reply-to: <3677A560.F83D7156@mch.sni.de>
Organization: University of Salford
Resent-date: Wed, 16 Dec 1998 05:59:37 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"3enTt2.0.Gi1.7pxTs"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Date sent:      	Wed, 16 Dec 1998 13:19:44 +0100
From:           	Helmut.Volpers@mch.sni.de (Helmut Volpers)
To:             	d.w.chadwick@iti.salford.ac.uk
Copies to:      	ietf-ldapext@netscape.com
Subject:        	Re: (Fwd) Families, compound attributes and contexts

> Hi David,
> 
> I have a short question to "family of entries". Is the anywhere
> something described, where I can find some issues of Access Control
> in this area. 
> 

No, because our original thought was that access controls would 
be simplified if the children were treated as separate entries each 
with their own entry ACI (if needed) otherwise with prescriptive ACI. 
No changes would then be needed to the ACI model.

> I have a prescriptive ACI which define "everybody can modify the USER
> Attributes in his own entry ( UserClasses  thisEntry)". Below this entry
> are some childs (family of entries) which are related to the user. Did the
> user get automatically the rights for the child or is the child an entity
> which have to authenticate with its own DN to the directory ?

However, you have brought up a very interesting scenario here, 
where there clearly is some benefit in changing the ACI model so 
that an ancestor (root parent) can have access to all his children, 
grandchildren etc. With the current description, the ancestor would 
not automatically gain access to his children simply because he 
has access to his own entry.

The converse also needs to be asked. Will there be instances 
when the ancestor should not have access to the children unless 
given specific rights. If the answer to this is yes, then there will 
clearly need to changes to the aci model and aci attributes in order 
to be able to distinguish between the two. If the answer is No, then 
only the model would need to be changed and not the aci attributes.

David

***************************************************

David Chadwick
IT Institute, University of Salford, Salford M5 4WT
Tel +44 161 295 5351  Fax +44 161 745 8169
Mobile +44 370 957 287
Email D.W.Chadwick@iti.salford.ac.uk
Home Page  http://www.salford.ac.uk/its024/chadwick.htm
Understanding X.500  http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string A7OX-K3QT-JPTU

***************************************************

References:
- Re: (Fwd) Families, compound attributes and contexts
  - From: Helmut.Volpers@mch.sni.de (Helmut Volpers)

Prev by Date: Re: (Fwd) Families, compound attributes and contexts
Next by Date: Schema Repository Experiment
Index(es):
- Chronological
- Thread