[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Management domains and access controls
>> (3) Store the resulting policy language expression anywhere it wants
>> (for
>> example, in a subentry in a node *above* the context prefix of the
>> naming
>> context.
>
>I dont quite follow how it would know to do this?
Just the same way a human administrator would, I presume. What I mean
is this: when I want to use prescriptive ACI to protect a subset of the
entries
in a DIT I have to "walk up the tree" to a point above all the entries which
will
be governed by the policy (this is easy to do; all you have to do is find the
least upper bound of the entries). Then it has to put together a subentry
specification which matches all the entries I want to control and which
doesn't match
the entries I don't want to control -- this is the hard part but it can
obviously be
done, especially since in many cases the entries will have some coherent
structure, like an entire subtree. Finally I have to put the subentry
specification
into the appropriate (least-upper-bound) entry.
Do you think this presents any challenges other than getting the
implementation
right?
--bob
Bob Blakley (blakley@dascom.com)
Chief Scientist, Dascom
BEGIN:VCARD
VERSION:2.1
N:Blakley;Bob
FN:Bob Blakley
ORG:Dascom
TITLE:Chief Scientist
TEL;WORK;VOICE:+1 (512) 458-4037 x 5012
TEL;WORK;FAX:+1 (512) 458-2377
ADR;WORK;ENCODING=QUOTED-PRINTABLE:;;Plaza Balcones=0D=0A5515 Balcones Drive;Austin;TX;78731;USA
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Plaza Balcones=0D=0A5515 Balcones Drive=0D=0AAustin, TX 78731=0D=0AUSA
URL:
URL:http://www.dascom.com
EMAIL;PREF;INTERNET:blakley@dascom.com
REV:19990517T220434Z
END:VCARD