[Date Prev][Date Next] [Chronological] [Thread] [Top]

Manage, Use, Set, Get rights in draft-ietf-ldapext-acl-model-04.txt

To: ietf-ldapext@netscape.com
Subject: Manage, Use, Set, Get rights in draft-ietf-ldapext-acl-model-04.txt
From: David Ward <DSWARD@novell.com>
Date: Tue, 12 Oct 1999 17:06:56 -0600
Cc: Alan Clark <ACLARK@novell.com>
Resent-date: Tue, 12 Oct 1999 16:10:16 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"JPH9JD.A.7XB.O_7A4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

The document defines a set of rights that apply to the object to which the directory entry points ( Manage / Use / Get / Set ).  Your example shows how these could be applied to a printer.  However, they are very vague and I think vendors will want to have specific rights for objects such as printers or computers.  Using your printer example, people may want to separate the rights for starting/stopping queues and flushing queues.  Flushing a queue is a destructive operation.  Trying to lump operations together under these coarse groups will probably not work well and ldap server vendors will undoubtedly group the operations differently (Manage for vendor A may be start/stop queue and Manage for vendor B may be start/stop/flush).  

I would suggest removing this set of rights from the document.  The acl model allows for other access control mechanisms and rights families to be defined.  I could see groups getting together to propose a standard set of printer rights or a standard set of computer rights, or a set of rights for executing specific controls within the directory.


David

<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>

<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META content='"MSHTML 4.72.3110.7"' name=GENERATOR>
</HEAD>
<BODY bgColor=#ffffff 
style="FONT: 10pt Arial; MARGIN-LEFT: 2px; MARGIN-TOP: 2px">
<DIV>The document defines a set of rights that apply to the object to which the 
directory entry points ( Manage / Use / Get / Set ).&nbsp; Your example shows 
how these could be applied to a printer.&nbsp; However, they are very vague and 
I think vendors will want to have specific rights for objects such as printers 
or computers.&nbsp; Using your printer example, people may want to separate the 
rights for starting/stopping queues and flushing queues.&nbsp; Flushing a queue 
is a destructive operation.&nbsp; Trying to lump operations together under these 
coarse groups will probably not work well and ldap server vendors will 
undoubtedly group the operations differently (Manage for vendor A may be 
start/stop queue and Manage for vendor B may be start/stop/flush).&nbsp; </DIV>
<DIV>&nbsp;</DIV>
<DIV>I would suggest removing this set of rights from the document.&nbsp; The 
acl model allows for other access control mechanisms and rights families to be 
defined.&nbsp; I could see groups getting together to propose a standard set of 
printer rights or a standard set of computer rights, or a set of rights for 
executing specific controls within the directory.</DIV>
<DIV><BR>&nbsp;</DIV>
<DIV><FONT style="BACKGROUND-COLOR: #ffffff">David</FONT></DIV></BODY></HTML>

Prev by Date: Inheritance models in draft-ietf-ldapext-acl-model-04.txt
Next by Date: grant / deny precedence in draft-ietf-ldapext-acl-model-04.txt
Index(es):
- Chronological
- Thread