[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: grant / deny precedence indraft-ietf-ldapext-acl-model-04.txt
I agree there are two items and I agree with the proposed defaults.
>>> Mark Smith <mcs@netscape.com> 10/15/99 8:48:48 AM >>>
> "Miklos, Sue A." wrote:
>
> I agree that the model should have a consistent default condition. I
> also prefer that the default be "deny" and that only after all rights
> necessary have been validated, should a "grant" condition occur.
To clarify, I think there are two different items for discussion:
a) Default access: in the absence of any access control rules, what
access is granted? I think the answer should be "none" since this is
the safest default.
b) Precedence of grant and deny: when a "grant" and a "deny" clause both
apply, is access granted or denied? I think access should be denied,
which is to say that "denies" win out over "grants."
--
Mark Smith
iPlanet Directory Architect / Sun-Netscape Alliance
My words are my own, not my employer's. Got LDAP?