David Ward wrote: > I agree. I would suggest making it very clear that deny takes precedence over grant when : > > 1) there are two conflicting aci values > 2) there is no aci information ( deny is the default ) I agree. It makes sense. /prasanta > > > David > > >>> Ellen Stokes <stokes@austin.ibm.com> 10/19/99 3:57:27 AM >>> > Yes, we want to be very specific about behavior for interoperability. > So, given your example, there are 2 rules that need to be added to > the draft: > 1. More specific policies must override less specific ones (e.g. > individual user > entry in ACL SHOULD take precedence over group entry) for the evaluation of > an ACL. > 2. Deny takes precedence over grant. > Ellen > > At 05:05 PM 10/12/1999 -0600, David Ward wrote: > >Is there a precedence for the grant / deny actions? If there are two > identical ACI values except for the action, which one takes precedence? An > example would be: > > > > aci: 1.2.3.4#subtree#grant;r;attribute1#group#cn=Dept XYZ, c=US > > aci: 1.2.3.4#subtree#deny;r;attribute1#group#cn=Dept XYZ, c=US > > > >Is this server implementation dependent? I don't think it should be. > However, if it must be for some reason I haven't considered, a server > should at least advertise its precedence. This information could be put in > the Root DSE object. Without this information, different ldap > implemenations may not be able to interoperate and maintain desired access > control behaviors. > > > > > >David > > > >
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature