I would like to clarify my understanding of how ACIs interact with each other by giving examples and what I expect the resultant rights to be. In most cases, I have been unable to decide from aci-model-04 what the results should be. I propose expanding the example section with any of these that are deemed useful by the collective.
Please excuse my abbreviated LDIF format:
1. I've only included the ACI attributes.
2. I've also numbered the ACIs for ease of discussions and explanations.
3. I've only given the RDN instead of full DNs on the aci.
cn=bjarvis, ou=ABC, o=XYZ, c=US
cn=G1wBJarvis, ou=ABC, o=XYZ, c=US
cn=G2wBJarvis, ou=ABC, o=XYZ, c=US
For all of these
assume cn=bjarvis is a member of group cn=G1wBJarvis
assume cn=bjarvis is a member of group cn=G2wBJarvis
Example #1
dn: o=XYZ, c=US
aci#1.1: 1.2.3.4#subtree#grant;r;attribute1;#access-id#cn=bjarvis
aci#1.2: 1.2.3.4#subtree#grant;w;attribute1;#group#cn=G1wBJarvis
What rights does cn=bjarvis have to attribute1 of o=XYZ, c=US?
Two reasonable answers:
A1.1: r (aci#1.1 overrides aci#1.2 because access-id is higher precedence than group)
A1.2: r,w (rights are ORed between aci#1.1 and aci#1.2)
I can see how some might prefer A1.1, but I strongly prefer A1.2.
I submit that "because access-id is higher precedence than group" does not apply because both ACIs are grants.
Example #2
dn: o=XYZ, c=US
aci#2.1: 1.2.3.4#subtree#grant;r;attribute2;#group#cn=G1wBJarvis
aci#2.2: 1.2.3.4#subtree#grant;w;attribute2;#group#cn=G2wBJarvis
What rights does cn=bjarvis have to attribute2 of o=XYZ, c=US?
One reasonable answer:
A2.1: r (rights are aci#2.1 "OR" aci#2.2)
I strongly prefer A2.1.
Example #3
dn: o=XYZ, c=US
aci#3.1: 1.2.3.4#subtree#grant;r,w;attribute3;#group#cn=G1wBJarvis
aci#3.2: 1.2.3.4#subtree#deny;w;attribute3;#group#cn=G2wBJarvis
What rights does cn=bjarvis have to attribute3 of o=XYZ, c=US?
Two reasonable answers:
A3.1: r (rights are aci#3.1 "minus" aci#3.2)
A3.2:none (aci#3.1 overrides aci#3.2 because deny is higher precedence than grant)
I strongly prefer A3.1.
Example #4
dn: o=XYZ, c=US
aci#4.1: 1.2.3.4#subtree#grant;w;attribute4;#access-id#cn=bjarvis
aci#4.2: 1.2.3.4#subtree#;r;attribute4;#access-id#cn=ABC
What rights does cn=bjarvis have to attribute4 of o=XYZ, c=US?
Two reasonable answers:
A4.1: w (aci#24.2 has no bearing--no "identity equivalence")
A4.2: r,w (rights are aci#1.1 "OR" aci#1.2 because of "identity equivalence")
I can see how some might prefer A4.1, but I strongly prefer A4.2.
Four examples ought to make a good start.
--the walrus
a.k.a. Brian Jarvis
bjarvis@novell.com
|
I would like to clarify my understanding of how ACIs interact with each
other by giving examples and what I expect the resultant rights to be. In
most cases, I have been unable to decide from aci-model-04 what the results
should be. I propose expanding the example section with any of these that
are deemed useful by the collective.
Please excuse my abbreviated LDIF
format:
1. I've only included the ACI
attributes.
2. I've also numbered the
ACIs for ease of discussions and explanations.
3. I've only given the RDN instead of
full DNs on the aci.
cn=bjarvis, ou=ABC,
o=XYZ, c=US
cn=G1wBJarvis, ou=ABC, o=XYZ, c=US
cn=G2wBJarvis, ou=ABC, o=XYZ, c=US
For all of these
assume cn=bjarvis is a member of group cn=G1wBJarvis
assume cn=bjarvis is a member of group cn=G2wBJarvis Example #1
dn: o=XYZ, c=US
aci#1.1:
1.2.3.4#subtree#grant;r;attribute1;#access-id#cn=bjarvis
aci#1.2:
1.2.3.4#subtree#grant;w;attribute1;#group#cn=G1wBJarvis
What rights does cn=bjarvis have to
attribute1 of o=XYZ, c=US?
Two reasonable
answers:
A1.1: r (aci#1.1
overrides aci#1.2 because access-id is higher precedence than
group)
A1.2: r,w (rights
are ORed between aci#1.1 and aci#1.2)
I can see how some might prefer
A1.1, but I strongly prefer A1.2.
I submit that "because access-id is
higher precedence than group" does not apply because both ACIs are
grants.
Example #2
dn: o=XYZ, c=US
aci#2.1:
1.2.3.4#subtree#grant;r;attribute2;#group#cn=G1wBJarvis
aci#2.2:
1.2.3.4#subtree#grant;w;attribute2;#group#cn=G2wBJarvis
What rights does cn=bjarvis have to
attribute2 of o=XYZ, c=US?
One reasonable answer:
A2.1: r (rights
are aci#2.1 "OR" aci#2.2)
I strongly prefer
A2.1.
Example #3
dn: o=XYZ, c=US
aci#3.1:
1.2.3.4#subtree#grant;r,w;attribute3;#group#cn=G1wBJarvis
aci#3.2:
1.2.3.4#subtree#deny;w;attribute3;#group#cn=G2wBJarvis
What rights does cn=bjarvis have to
attribute3 of o=XYZ, c=US?
Two reasonable
answers:
A3.1: r (rights
are aci#3.1 "minus" aci#3.2)
A3.2:none (aci#3.1 overrides
aci#3.2 because deny is higher precedence than grant)
I strongly prefer
A3.1.
dn: o=XYZ, c=US
aci#4.1:
1.2.3.4#subtree#grant;w;attribute4;#access-id#cn=bjarvis
aci#4.2:
1.2.3.4#subtree#;r;attribute4;#access-id#cn=ABC
What rights does cn=bjarvis have to
attribute4 of o=XYZ, c=US?
Two reasonable
answers:
A4.1: w (aci#24.2
has no bearing--no "identity equivalence")
A4.2: r,w (rights
are aci#1.1 "OR" aci#1.2 because of "identity
equivalence")
I can see how some might prefer
A4.1, but I strongly prefer A4.2.
Four examples ought to make a good
start.
--the walrus
a.k.a. Brian Jarvis
|
BEGIN:VCARD VERSION:2.1 X-GWTYPE:USER FN:Brian Jarvis TEL;WORK:801-861-3856 ORG:;NDS Administration TEL;PREF;FAX:801-861-2292 EMAIL;WORK;PREF;NGW:BJARVIS@novell.com N:Jarvis;Brian TITLE:Engineer ADR;INTL;WORK;PARCEL;POSTAL:;PRV-F221;122 E 1700 S;Provo;UT;84606;USA LABEL;INTL;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Brian Jarvis=0A= PRV-F221=0A= 122 E 1700 S=0A= Provo, UT 84606=0A= USA LABEL;DOM;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Brian Jarvis=0A= PRV-F221=0A= 122 E 1700 S=0A= Provo, UT 84606 TEL;HOME:801-226-6636 TEL;PREF:801-861-3856 X-GWUSERID:BJARVIS END:VCARD