[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Manage, Use, Set, Get rights in draft-ietf-ldapext-acl-model-04.txt
The document defines a set of rights that apply to the object to which the directory entry points ( Manage / Use / Get / Set ). Your example shows how these could be applied to a printer. However, they are very vague and I think vendors will want to have specific rights for objects such as printers or computers. Using your printer example, people may want to separate the rights for starting/stopping queues and flushing queues. Flushing a queue is a destructive operation. Trying to lump operations together under these coarse groups will probably not work well and ldap server vendors will undoubtedly group the operations differently (Manage for vendor A may be start/stop queue and Manage for vendor B may be start/stop/flush).
I would suggest removing this set of rights from the document. The acl model allows for other access control mechanisms and rights families to be defined. I could see groups getting together to propose a standard set of printer rights or a standard set of computer rights, or a set of rights for executing specific controls within the directory.
David
<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META content='"MSHTML 4.72.3110.7"' name=GENERATOR>
</HEAD>
<BODY bgColor=#ffffff
style="FONT: 10pt Arial; MARGIN-LEFT: 2px; MARGIN-TOP: 2px">
<DIV>The document defines a set of rights that apply to the object to which the
directory entry points ( Manage / Use / Get / Set ). Your example shows
how these could be applied to a printer. However, they are very vague and
I think vendors will want to have specific rights for objects such as printers
or computers. Using your printer example, people may want to separate the
rights for starting/stopping queues and flushing queues. Flushing a queue
is a destructive operation. Trying to lump operations together under these
coarse groups will probably not work well and ldap server vendors will
undoubtedly group the operations differently (Manage for vendor A may be
start/stop queue and Manage for vendor B may be start/stop/flush). </DIV>
<DIV> </DIV>
<DIV>I would suggest removing this set of rights from the document. The
acl model allows for other access control mechanisms and rights families to be
defined. I could see groups getting together to propose a standard set of
printer rights or a standard set of computer rights, or a set of rights for
executing specific controls within the directory.</DIV>
<DIV><BR> </DIV>
<DIV><FONT style="BACKGROUND-COLOR: #ffffff">David</FONT></DIV></BODY></HTML>