[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Examples (differing privileges, DNs) for aci-model-04

To: Brian Jarvis <BJARVIS@novell.com>, ietf-ldapext@netscape.com
Subject: Re: Examples (differing privileges, DNs) for aci-model-04
From: David Chadwick <d.w.chadwick@salford.ac.uk>
Date: Fri, 22 Oct 1999 18:28:56 +0100
In-reply-to: <s80f41f2.012@prv-mail20.provo.novell.com>
Organization: University of Salford
Resent-date: Fri, 22 Oct 1999 10:33:27 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"-o7jeC.A.3LF.T-JE4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Brian
Here are my preferred options (which I believe are also compatible 
with the X.500 ACDF)

> 
> Example #1
> dn: o=XYZ, c=US
> aci#1.1: 1.2.3.4#subtree#grant;r;attribute1;#access-id#cn=bjarvis
> aci#1.2: 1.2.3.4#subtree#grant;w;attribute1;#group#cn=G1wBJarvis
> 
> What rights does cn=bjarvis have to attribute1 of o=XYZ, c=US?
> Two reasonable answers:
> A1.1: r    (aci#1.1 overrides aci#1.2 because access-id is higher
> precedence than group) A1.2: r,w    (rights are ORed between aci#1.1
> and aci#1.2) I can see how some might prefer A1.1, but I strongly
> prefer A1.2. I submit that "because access-id is higher precedence
> than group" does not apply because both ACIs are grants.

A1.2 would be my choice.

> 
> Example #2
> dn: o=XYZ, c=US
> aci#2.1: 1.2.3.4#subtree#grant;r;attribute2;#group#cn=G1wBJarvis
> aci#2.2: 1.2.3.4#subtree#grant;w;attribute2;#group#cn=G2wBJarvis
> 
> What rights does cn=bjarvis have to attribute2 of o=XYZ, c=US?
> One reasonable answer:
> A2.1: r    (rights are aci#2.1 "OR" aci#2.2)
> I strongly prefer A2.1.
> 

I would strongly prefer r and w which is not in your list (although I 
suspect there is an error in your email, since you only gave one 
option)

> Example #3
> dn: o=XYZ, c=US
> aci#3.1: 1.2.3.4#subtree#grant;r,w;attribute3;#group#cn=G1wBJarvis
> aci#3.2: 1.2.3.4#subtree#deny;w;attribute3;#group#cn=G2wBJarvis
> 
> What rights does cn=bjarvis have to attribute3 of o=XYZ, c=US?
> Two reasonable answers:
> A3.1: r    (rights are aci#3.1 "minus" aci#3.2)
> A3.2:none    (aci#3.1 overrides aci#3.2 because deny is higher
> precedence than grant) I strongly prefer A3.1.
> 

Agreed. A grant should not override a grant.

> Example #4
> dn: o=XYZ, c=US
> aci#4.1: 1.2.3.4#subtree#grant;w;attribute4;#access-id#cn=bjarvis
> aci#4.2: 1.2.3.4#subtree#;r;attribute4;#access-id#cn=ABC
> 
> What rights does cn=bjarvis have to attribute4 of o=XYZ, c=US?
> Two reasonable answers:
> A4.1: w    (aci#24.2 has no bearing--no "identity equivalence")
> A4.2: r,w    (rights are aci#1.1 "OR" aci#1.2 because of "identity
> equivalence") I can see how some might prefer A4.1, but I strongly
> prefer A4.2.

I dont follow where your identity equivalence came from. Sorry. 
Was ABC meant to be an alias of bjarvis?


> 
> Four examples ought to make a good start.

But a good set of precise rules (as in X.501) would be much
 better :-)

David

***************************************************

David Chadwick
IS Institute, University of Salford, Salford M5 4WT
Tel +44 161 295 5351  Fax +44 161 745 8169
Mobile +44 790 167 0359
Email D.W.Chadwick@salford.ac.uk
Home Page  http://www.salford.ac.uk/its024/chadwick.htm
Understanding X.500  http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string MLJ9-DU5T-HV8J

***************************************************

References:
- Examples (differing privileges, DNs) for aci-model-04
  - From: Brian Jarvis <BJARVIS@novell.com>

Prev by Date: comments on ldap password policy draft
Next by Date: Re: grant / deny precedence indraft-ietf-ldapext-acl-model-04.txt
Index(es):
- Chronological
- Thread