Re: Comments on aci-model-04

[djbyrne@us.ibm.com]

Jim,

> Could the fact that when group dnType is used, the target points to a
groupOfNames be documented in > the draft?

I think I'd prefer to simply add a statement that says group refers to an object
which holds a collection of member DNs. I don't want to restrict implementations
to using the groupOfNames objectlcass if we don't have to.  Is that enough?

> Then I'm still lost on two related points. I'm still unsure of what
constitutes a role, and I'm > > > wondering if there's a way to specify that the
target is a subtree.

We can certainly consider adding something that represents something of type
'subtree' ( vs group or access-id ).

Let me try another stab at role vs group definition. In the strict defintion,
roles and groups are both collections of DNs. So, on the surface, they are the
same. My understanding is that in the security world, there is a slight
difference; not in implemenation, but in expectation.  When a user is added to a
group that's all there is to it; he's now a member of 'Monday football
announcements' ( or whatever ). However, when the user is added to a role, there
is some expectation that he will recieve certain permissions as a member of that
role. For instance, when a user is added to an 'Adminstrator' group, (s)he would
expect to have access to particular files, queues etc. ( It is still up to the
system administrator to ensure those expectations are met )

Debbie

INet: djbyrne@us.ibm.com
Lotus Notes : djbyrne@ibmus
Phone: (512)838-1930 ( T/L 678 )


"Jim Sermersheim" <JIMSE@novell.com> on 10/20/99 11:57:27 AM