Re: grant / deny precedence indraft-ietf-ldapext-acl-model-04.txt

[Mark Smith <mcs@netscape.com>]

I for one feel strongly that the precedence of grant vs. deny should be
fixed by the access control model.  Otherwise we are just making life
too complicated for client and server implementators.  If I were to
choose, I would make 'deny' win our over 'grant.'

-- 
Mark Smith
iPlanet Directory Architect / Sun-Netscape Alliance
My words are my own, not my employer's.   Got LDAP?


"Subbu K. K." wrote:
> 
> There are fair reasons for either possibility and this would be specific
> to an instance of a directory. In public directories, deny takes precedence
> over grant ('grant everyone except x....) while in private or secure
> directories grant takes precedence ("restrict access to all except
> for ....") over deny list.
> 
> The suggestion to have it as an attribute in Root DSE ("accessPolicy =
> Public | Restricted") is a good one, but should this be restricted to
> the Root DSE only. Why not have it at sub-tree level with the default
> flowing down the tree from the Root DSE? This would facilitate regional
> adminstration of large multinational trees.
> 
> Subbu K. K.
> 
> >>> "David Ward" <DSWARD@novell.com> 10/13/99 04:40AM >>>
> Is there a precedence for the grant / deny actions?  If there are two
> identical ACI values except for the action, which one takes precedence?
> An example would be:
> 
>              aci: 1.2.3.4#subtree#grant;r;attribute1#group#cn=Dept XYZ, c=US
>              aci: 1.2.3.4#subtree#deny;r;attribute1#group#cn=Dept XYZ, c=US
> 
> Is this server implementation dependent?  I don't think it should be.
> However, if it must be for some reason I haven't considered, a server
> should at least advertise its precedence.  This information could be
> put in the Root DSE object.  Without this information, different ldap
> implemenations may not be able to interoperate and maintain desired
> access control behaviors.