[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Comments on aci-model-04
I would like to suggest a twist to the "subtree" idea. Instead of adding an additional identifier "subtree", the default be an object receives all the rights explicitly given to it and the rights given to objects that comprise its DN. For example when calculating the rights for the object:
cn=dsward, ou=engineering, ou=provo, o=novell
The rights for the object would be the sum of:
1) explicit rights given to cn=dsward,
2) rights for ou=engineering,
3) rights for ou=provo,
4) rights for o=novell
5) rights for "public"
If I remember correctly, Brian Jarvis referred to this as "identity equivalence" in earlier email. There is no need for a "subtree" identifier. By default, I inherit all the rights given to the "parent" objects in my DN.
From an administrative point of view this can be very powerful. If I want to grant/deny specific rights to all objects in the ou=marketing container, I just add one aci listing ou=marketing as the subject and every subordinate object gets the rights.
David Ward
dsward@novell.com
>>> <djbyrne@us.ibm.com> 10/25/99 10:01:17 AM >>>
All:
There's been several requests for the concept of an acl applying to a
subtree of DNs.
The proposal on the table is to add an additional identifier to the subject
Type: subtree. Subtree would mean that the aci entry would apply to the DN
and all descendants of that dn.
aci: 1.2.3.4#entry#grant;r;w;[all];#subtree#ou=Org,c=Country
This aci would be applicable to: ou=Org,c=Country , cn=Group1
,ou=Org,c=Country etc.
Including subtree, the precedence order for subject Types would be:
(Lowest- least specific) subtree - role - group - accessId ( highest - most
specific )
I don't really like using the term subtree here, since it's already been
used in the BNF. I rather use a distinct term so there isn't any confusion,
so if anyone can think of another term, please speak up.
Debbie
INet: djbyrne@us.ibm.com
Lotus Notes : djbyrne@ibmus
Phone: (512)838-1930 ( T/L 678 )