Re: grant / deny precedence in draft-ietf-ldapext-acl-model-04.txt

["Subbu K. K." <KKSUBRAMANIAM@novell.com>]

There are fair reasons for either possibility and this would be specific to an instance of a directory. In public directories, deny takes precedence over grant ('grant everyone except x....) while in private or secure directories grant takes precedence ("restrict access to all except for ....") over deny list.

The suggestion to have it as an attribute in Root DSE ("accessPolicy = Public | Restricted") is a good one, but should this be restricted to the Root DSE only. Why not have it at sub-tree level with the default flowing down the tree from the Root DSE? This would facilitate regional adminstration of large multinational trees.

Subbu K. K.

>>> "David Ward" <DSWARD@novell.com> 10/13/99 04:40AM >>>
Is there a precedence for the grant / deny actions?  If there are two identical ACI values except for the action, which one takes precedence?  An example would be:

             aci: 1.2.3.4#subtree#grant;r;attribute1#group#cn=Dept XYZ, c=US
             aci: 1.2.3.4#subtree#deny;r;attribute1#group#cn=Dept XYZ, c=US

Is this server implementation dependent?  I don't think it should be.  However, if it must be for some reason I haven't considered, a server should at least advertise its precedence.  This information could be put in the Root DSE object.  Without this information, different ldap implemenations may not be able to interoperate and maintain desired access control behaviors.  


David