To clarify (which I almost always have to do) -
If an access control model exists with a range of accesses associated (individual, roles, group of names, etc.) and if ACI are present, the default condition should ensure that, until all criteria are successfully met, a deny exists. If there are any ambiguities when determining rights, always default to a deny.
I am somewhat confused about your first case... If there are no access control rules, then the condition is not relevant. If there are no criteria imposed to access the repository, then it should be accessible (and modifiable?) by all. The absence of ACI implies that all information contained within meets the "front page of the New York Times" criteria... publically available to all.
regards,
Sandi
-----Original Message-----
From: Mark Smith [mailto:mcs@netscape.com]
Sent: Friday, October 15, 1999 10:48 AM
To: Miklos Sue A.
Cc: Subbu K. K.; ietf-ldapext@netscape.com
Subject: Re: grant / deny precedence
indraft-ietf-ldapext-acl-model-04.txt
> "Miklos, Sue A." wrote:
>
> I agree that the model should have a consistent default condition. I
> also prefer that the default be "deny" and that only after all rights
> necessary have been validated, should a "grant" condition occur.
To clarify, I think there are two different items for discussion:
a) Default access: in the absence of any access control rules, what
access is granted? I think the answer should be "none" since this is
the safest default.
b) Precedence of grant and deny: when a "grant" and a "deny" clause both
apply, is access granted or denied? I think access should be denied,
which is to say that "denies" win out over "grants."
--
Mark Smith
iPlanet Directory Architect / Sun-Netscape Alliance
My words are my own, not my employer's. Got LDAP?