djbyrne@us.ibm.com wrote: > All: > > There's been several requests for the concept of an acl applying to a > subtree of DNs. > > The proposal on the table is to add an additional identifier to the subject > Type : subtree. Subtree would mean that the aci entry would apply to the DN > and all descendants of that dn. > aci: 1.2.3.4#entry#grant;r;w;[all];#subtree#ou=Org,c=Country > This aci would be applicable to: ou=Org,c=Country , cn=Group1 > ,ou=Org,c=Country etc. > Does this mean that "the aci is applicable" or "anyone within ou=org,c=country" has the privilege ? I am thinking it's the latter. I would suggest a more general approach of using filters here. aci: 1.2.3.4#entry#grant;r;w;[all];#(filter)#ou=Org,c=Country /prasanta > Including subtree, the precedence order for subject Types would be: > (Lowest- least specific) subtree - role - group - accessId ( highest - most > specific ) > > I don't really like using the term subtree here, since it's already been > used in the BNF. I rather use a distinct term so there isn't any confusion, > so if anyone can think of another term, please speak up. > > Debbie > > INet: djbyrne@us.ibm.com > Lotus Notes : djbyrne@ibmus > Phone: (512)838-1930 ( T/L 678 )
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature