[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: grant / deny precedence indraft-ietf-ldapext-acl-model-04.txt

To: samiklo@missi.ncsc.mil, mcs@netscape.com
Subject: Re: grant / deny precedence indraft-ietf-ldapext-acl-model-04.txt
From: David Ward <DSWARD@novell.com>
Date: Fri, 15 Oct 1999 09:26:45 -0600
Cc: ietf-ldapext@netscape.com, "Subbu K. K." <KKSUBRAMANIAM@novell.com>
Content-disposition: inline
Resent-date: Fri, 15 Oct 1999 08:27:36 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"l8TKAC.A.aZD.Zf0B4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

I agree there are two items and I agree with the proposed defaults. 

>>> Mark Smith <mcs@netscape.com> 10/15/99 8:48:48 AM >>>
> "Miklos, Sue A." wrote:
> 
> I agree that the model should have a consistent default condition.  I
> also prefer that the default be "deny" and that only after all rights
> necessary have been validated, should a "grant" condition occur.

To clarify, I think there are two different items for discussion:

a) Default access: in the absence of any access control rules, what
access is granted?  I think the answer should be "none" since this is
the safest default.

b) Precedence of grant and deny: when a "grant" and a "deny" clause both
apply, is access granted or denied?  I think access should be denied,
which is to say that "denies" win out over "grants."

-- 
Mark Smith
iPlanet Directory Architect / Sun-Netscape Alliance
My words are my own, not my employer's.   Got LDAP?

Follow-Ups:
- Re: grant / deny precedenceindraft-ietf-ldapext-acl-model-04.txt
  - From: "Daniel A. Oliver" <daoliver@cisco.com>

Prev by Date: RE: grant / deny precedence indraft-ietf-ldapext-acl-model-04.txt
Next by Date: Submission of draft-rharrison-ldapExtPartResp-00.txt
Index(es):
- Chronological
- Thread