Re: grant / deny precedence indraft-ietf-ldapext-acl-model-04.txt

[David Ward <DSWARD@novell.com>]

I agree.  I would suggest making it very clear that deny takes precedence over grant when :

1) there are two conflicting aci values
2) there is no aci information ( deny is the default )

David

>>> Ellen Stokes <stokes@austin.ibm.com> 10/19/99 3:57:27 AM >>>
Yes, we want to be very specific about behavior for interoperability.
So, given your example, there are 2 rules that need to be added to
the draft:
1.  More specific policies must override less specific ones (e.g.
individual user 
entry in ACL SHOULD take precedence over group entry) for the evaluation of
an ACL.
2.  Deny takes precedence over grant.
Ellen


At 05:05 PM 10/12/1999 -0600, David Ward wrote:
>Is there a precedence for the grant / deny actions?  If there are two
identical ACI values except for the action, which one takes precedence?  An
example would be:
>
>             aci: 1.2.3.4#subtree#grant;r;attribute1#group#cn=Dept XYZ, c=US
>             aci: 1.2.3.4#subtree#deny;r;attribute1#group#cn=Dept XYZ, c=US
>
>Is this server implementation dependent?  I don't think it should be.
However, if it must be for some reason I haven't considered, a server
should at least advertise its precedence.  This information could be put in
the Root DSE object.  Without this information, different ldap
implemenations may not be able to interoperate and maintain desired access
control behaviors.  
>
>
>David
>
>