[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: grant / deny precedence in draft-ietf-ldapext-acl-model-04.txt
In general, I agree. But I think the more specific the ACI, the more precedence it should have.
Example #1:
BJarvis is a member of Group1
aci: 1.2.3.4#subtree#deny;r,w;[all];#group#cn=Group1
aci: 1.2.3.4#subtree#grant;r,2;[all];#access-id#cn=BJarvis
I maintain that access-id is more specific than group and thus in example #1, grant has precedence over deny.
This implies that we need to define a precedence order for dn-types.
I would propose (lowest--least specific) group, role, ip-address?, access-id (highest--most specific).
Example #2:
aci: 1.2.3.4#subtree#deny;r;w;[all];#group#cn=Group1
aci: 1.2.3.4#entry#grant;r;w;[all];#group#cn=Group1
I maintain that entry is more specific than subtree and thus is in example #2, grant has precedence over deny.
This implies that we need to define a precedence order for scopes.
I would propose (lowest--least specific) subtree, <level>, entry (highest--most specific).
When ACIs are of equal precedence, I think deny should override grant as a safety issue. When they are not of equal precedence, I maintain that the precedence order should determine ACI overrides rather than grant/deny.
--the walrus
a.k.a. Brian Jarvis
bjarvis@novell.com
>>> prasanta Behera <prasanta@netscape.com> 10/19/1999 11:32:30 >>>
David Ward wrote:
> I agree. I would suggest making it very clear that deny takes precedence over grant when :
>
> 1) there are two conflicting aci values
> 2) there is no aci information ( deny is the default )
I agree. It makes sense.
/prasanta
>
>
> David
>
> >>> Ellen Stokes <stokes@austin.ibm.com> 10/19/99 3:57:27 AM >>>
> Yes, we want to be very specific about behavior for interoperability.
> So, given your example, there are 2 rules that need to be added to
> the draft:
> 1. More specific policies must override less specific ones (e.g.
> individual user
> entry in ACL SHOULD take precedence over group entry) for the evaluation of
> an ACL.
> 2. Deny takes precedence over grant.
> Ellen
>
> At 05:05 PM 10/12/1999 -0600, David Ward wrote:
> >Is there a precedence for the grant / deny actions? If there are two
> identical ACI values except for the action, which one takes precedence? An
> example would be:
> >
> > aci: 1.2.3.4#subtree#grant;r;attribute1#group#cn=Dept XYZ, c=US
> > aci: 1.2.3.4#subtree#deny;r;attribute1#group#cn=Dept XYZ, c=US
> >
> >Is this server implementation dependent? I don't think it should be.
> However, if it must be for some reason I haven't considered, a server
> should at least advertise its precedence. This information could be put in
> the Root DSE object. Without this information, different ldap
> implemenations may not be able to interoperate and maintain desired access
> control behaviors.
> >
> >
> >David
> >
> >
<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META content='"MSHTML 4.72.3110.7"' name=GENERATOR>
</HEAD>
<BODY bgColor=#ffffff
style="FONT: 10pt Arial; MARGIN-LEFT: 2px; MARGIN-TOP: 2px">
<DIV>In general, I agree. But I think the more specific the ACI, the more
precedence it should have.</DIV>
<DIV> </DIV>
<DIV><FONT style="BACKGROUND-COLOR: #ffffff">Example #1:</FONT></DIV>
<DIV><FONT style="BACKGROUND-COLOR: #ffffff">BJarvis is a member of
Group1</FONT></DIV>
<DIV><FONT style="BACKGROUND-COLOR: #ffffff">aci:
1.2.3.4#subtree#deny;r,w;[all];#group#cn=Group1</FONT></DIV>
<DIV><FONT style="BACKGROUND-COLOR: #ffffff">aci:
1.2.3.4#subtree#grant;r,2;[all];#access-id#cn=BJarvis</FONT></DIV>
<DIV><FONT style="BACKGROUND-COLOR: #ffffff"></FONT> </DIV>
<DIV><FONT style="BACKGROUND-COLOR: #ffffff">I maintain that access-id is more
specific than group and thus in example #1, grant has precedence over
deny.</FONT></DIV>
<DIV><FONT style="BACKGROUND-COLOR: #ffffff"></FONT> </DIV>
<DIV><FONT style="BACKGROUND-COLOR: #ffffff">This implies that we need to define
a precedence order for dn-types.</FONT></DIV>
<DIV><FONT style="BACKGROUND-COLOR: #ffffff"></FONT><FONT
style="BACKGROUND-COLOR: #ffffff">I would propose (lowest--least specific)
group, role, ip-address?, access-id (highest--most specific).</FONT></DIV>
<DIV><FONT style="BACKGROUND-COLOR: #ffffff"></FONT><BR> </DIV>
<DIV><FONT style="BACKGROUND-COLOR: #ffffff">Example #2:</FONT></DIV>
<DIV><FONT style="BACKGROUND-COLOR: #ffffff"></FONT><FONT
style="BACKGROUND-COLOR: #ffffff">aci:
1.2.3.4#subtree#deny;r;w;[all];#group#cn=Group1</FONT></DIV>
<DIV><FONT style="BACKGROUND-COLOR: #ffffff"></FONT><FONT
style="BACKGROUND-COLOR: #ffffff">
<DIV><FONT style="BACKGROUND-COLOR: #ffffff">aci:
1.2.3.4#entry#grant;r;w;[all];#group#cn=Group1</FONT></DIV>
<DIV><FONT style="BACKGROUND-COLOR: #ffffff"></FONT> </DIV></FONT></DIV>
<DIV><FONT style="BACKGROUND-COLOR: #ffffff">I maintain that entry is more
specific than subtree and thus is in example #2, grant has precedence over
deny.</FONT></DIV>
<DIV><FONT style="BACKGROUND-COLOR: #ffffff"></FONT> </DIV>
<DIV>This implies that we n<FONT style="BACKGROUND-COLOR: #ffffff">eed to define
a precedence order for scopes.</FONT></DIV>
<DIV><FONT style="BACKGROUND-COLOR: #ffffff"></FONT><FONT
style="BACKGROUND-COLOR: #ffffff">I would propose (lowest--least specific)
subtree, <level>, entry (highest--most specific).</FONT><BR></DIV>
<DIV>When ACIs are of equal precedence, I think deny should override grant as a
safety issue. When they are not of equal precedence, I maintain that the
precedence order should determine ACI overrides rather than grant/deny.</DIV>
<DIV> </DIV>
<DIV>--the walrus</DIV>
<DIV>a.k.a. Brian Jarvis</DIV>
<DIV><A href="mailto:bjarvis@novell.com">bjarvis@novell.com</A></DIV>
<DIV><BR>>>> prasanta Behera <<A
href="mailto:prasanta@netscape.com">prasanta@netscape.com</A>> 10/19/1999
11:32:30 >>><BR><BR><BR>David Ward wrote:<BR><BR>> I agree. I
would suggest making it very clear that deny takes precedence over grant when
:<BR>><BR>> 1) there are two conflicting aci values<BR>> 2) there is no
aci information ( deny is the default )<BR><BR>I agree. It makes
sense.<BR>/prasanta<BR><BR>><BR>><BR>> David<BR>><BR>>
>>> Ellen Stokes <stokes@austin.ibm.com> 10/19/99 3:57:27 AM
>>><BR>> Yes, we want to be very specific about behavior for
interoperability.<BR>> So, given your example, there are 2 rules that need to
be added to<BR>> the draft:<BR>> 1. More specific policies must
override less specific ones (e.g.<BR>> individual user<BR>> entry in ACL
SHOULD take precedence over group entry) for the evaluation of<BR>> an
ACL.<BR>> 2. Deny takes precedence over grant.<BR>>
Ellen<BR>><BR>> At 05:05 PM 10/12/1999 -0600, David Ward wrote:<BR>>
>Is there a precedence for the grant / deny actions? If there are
two<BR>> identical ACI values except for the action, which one takes
precedence? An<BR>> example would be:<BR>> ><BR>>
>
aci: 1.2.3.4#subtree#grant;r;attribute1#group#cn=Dept XYZ, c=US<BR>>
>
aci: 1.2.3.4#subtree#deny;r;attribute1#group#cn=Dept XYZ, c=US<BR>>
><BR>> >Is this server implementation dependent? I don't think it
should be.<BR>> However, if it must be for some reason I haven't considered,
a server<BR>> should at least advertise its precedence. This
information could be put in<BR>> the Root DSE object. Without this
information, different ldap<BR>> implemenations may not be able to
interoperate and maintain desired access<BR>> control behaviors.<BR>>
><BR>> ><BR>> >David<BR>> ><BR>>
><BR></DIV></BODY></HTML>
BEGIN:VCARD
VERSION:2.1
X-GWTYPE:USER
FN:Brian Jarvis
TEL;WORK:801-861-3856
ORG:;NDS Administration
TEL;PREF;FAX:801-861-2292
EMAIL;WORK;PREF;NGW:BJARVIS@novell.com
N:Jarvis;Brian
TITLE:Engineer
ADR;INTL;WORK;PARCEL;POSTAL:;PRV-F221;122 E 1700 S;Provo;UT;84606;USA
LABEL;INTL;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Brian Jarvis=0A=
PRV-F221=0A=
122 E 1700 S=0A=
Provo, UT 84606=0A=
USA
LABEL;DOM;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Brian Jarvis=0A=
PRV-F221=0A=
122 E 1700 S=0A=
Provo, UT 84606
TEL;HOME:801-226-6636
TEL;PREF:801-861-3856
X-GWUSERID:BJARVIS
END:VCARD