[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: grant / deny precedenceindraft-ietf-ldapext-acl-model-04.txt
David,
Done - I'll update the document to reflect this.
Ellen
At 10:10 AM 10/19/1999 -0600, David Ward wrote:
>I agree. I would suggest making it very clear that deny takes
>precedence over grant when :
>
>1) there are two conflicting aci values
>2) there is no aci information ( deny is the default )
>
>David
>
>>>> Ellen Stokes <stokes@austin.ibm.com> 10/19/99 3:57:27 AM >>>
>Yes, we want to be very specific about behavior for interoperability.
>So, given your example, there are 2 rules that need to be added to
>the draft:
>1. More specific policies must override less specific ones (e.g.
>individual user
>entry in ACL SHOULD take precedence over group entry) for the
>evaluation of
>an ACL.
>2. Deny takes precedence over grant.
>Ellen
>
>
>At 05:05 PM 10/12/1999 -0600, David Ward wrote:
>>Is there a precedence for the grant / deny actions? If there are two
>identical ACI values except for the action, which one takes precedence?
> An
>example would be:
>>
>> aci: 1.2.3.4#subtree#grant;r;attribute1#group#cn=Dept
>XYZ, c=US
>> aci: 1.2.3.4#subtree#deny;r;attribute1#group#cn=Dept XYZ,
>c=US
>>
>>Is this server implementation dependent? I don't think it should be.
>However, if it must be for some reason I haven't considered, a server
>should at least advertise its precedence. This information could be
>put in
>the Root DSE object. Without this information, different ldap
>implemenations may not be able to interoperate and maintain desired
>access
>control behaviors.
>>
>>
>>David
>>
>>
>