[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: grant / deny precedence indraft-ietf-ldapext-acl-model-04.txt

To: Bob Blakley <blakley@dascom.com>
Subject: Re: grant / deny precedence indraft-ietf-ldapext-acl-model-04.txt
From: prasanta@netscape.com (Prasanta Behera)
Date: Fri, 22 Oct 1999 13:10:10 -0700
Cc: Brian Jarvis <BJARVIS@novell.com>, stokes@austin.ibm.com, ietf-ldapext@netscape.com
Organization: Netscape
References: <049d01bf1cc4$cd7c33e0$24a13994@shaggy.austin.dascom.com>
Resent-date: Fri, 22 Oct 1999 13:13:30 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"Hl8Y6.A.1G.YUME4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Bob Blakley wrote:

> >I would propose (lowest--least specific) group, role, ip-address?, access-id
> (highest--most specific).
>
> For reasons explained in my earlier note, I consider group to be more specific
> than role.  So my partial order goes:
>
>     (lowest--least specific) role, group, access-id (highest--most specific).
>
> My personal feeling is that ip-address is completely useless as a subject
> field and shouldn't be allowed as
> a privilege attribute at all

Can time based ( like timeofday and dayofWeek)
or authentication strength  can be considered as privilege attributes.
I think it should be.

It will be very hard to get a exact precedence rule once we throw in
new privilege attributes. Should we think of  "precedence category".

Thanks
/prasanta

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- Re: grant / deny precedence indraft-ietf-ldapext-acl-model-04.txt
  - From: Bob Blakley <blakley@dascom.com>

Prev by Date: Re: grant / deny precedence indraft-ietf-ldapext-acl-model-04.txt
Next by Date: Re: ldap password policy approach
Index(es):
- Chronological
- Thread