[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Comments on aci-model-04

To: ietf-ldapext@netscape.com
Subject: Re: Comments on aci-model-04
From: djbyrne@us.ibm.com
Date: Mon, 25 Oct 1999 10:58:27 -0500
Cc: stokes@austin.ibm.com
Content-disposition: inline
Resent-date: Mon, 25 Oct 1999 09:01:07 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"2oSmYB.A.9cG.76HF4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com



All:

There's been several requests for the concept of an acl applying to a
subtree of DNs.

The proposal on the table is to add an additional identifier to the subject
Type: subtree. Subtree would mean that the aci entry would apply to the DN
and all descendants of that dn.
aci: 1.2.3.4#entry#grant;r;w;[all];#subtree#ou=Org,c=Country
This aci would be applicable to: ou=Org,c=Country ,   cn=Group1
,ou=Org,c=Country etc.

Including subtree, the precedence order for subject Types would be:
(Lowest- least specific) subtree - role - group - accessId ( highest - most
specific )

I don't really like using the term subtree here, since it's already been
used in the BNF. I rather use a distinct term so there isn't any confusion,
so if anyone can think of another term, please speak up.

Debbie


INet: djbyrne@us.ibm.com
Lotus Notes : djbyrne@ibmus
Phone: (512)838-1930 ( T/L 678 )

Follow-Ups:
- Re: Comments on aci-model-04
  - From: prasanta@netscape.com (Prasanta Behera)
- Re: Comments on aci-model-04
  - From: Erik Skovgaard <eskovgaard@geotrain.com>

Prev by Date: RE: Match rule to dereference pointers
Next by Date: Re: comments on ldap password policy draft
Index(es):
- Chronological
- Thread