[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Attribute groupings
Within the BNF, we have a syntax for grouping attributes;
< attrs > ::= [ < attributeString>
+ [ ',' + < attributeString > ] * ]
The attributeString is an attribute Name (defined to be a
printable string). If the string refers to an attribute
not defined in the given server's schema, the server
SHOULD report an error.
....
Multiple attributeStrings can be listed after any given
permission set; for instance, "r,w ; attribute1,
attribute2". This means that if the server supports a
attribute aggregation mechanism, attribute1 and
attribute2 should be considered to be part of the same
group. If the server does not support a grouping
mechanism, the permission set applies independently to
attribute1 and attribute2. For servers that do not
support attribute grouping, "grant ; r,w ; attribute1,
attribute2" results in the same operations as "grant ;
r,w; attribute1$grant; r,w; attribute2"
While this definition allows aggregation of attributes into groups, it does
not provide an easy mechanism for doing the reverse; setting an aci that
applies to a group of attributes, and allowing the aci to apply to all
attributes within that grouping that already exists. The ability to do this
is very important for ease of administration as the number of attributes
within the directory increases.
There are two possibilities for adding this function to the draft;
a) The attribute string could refer to either an attribute or an attribute
grouping. This approach could make it difficult to distinguish between
attributes and groupings of attributes. It would also mean that the
attribute names can not be re-used as a grouping name.
b) Add to the BNF to support a grouping syntax;
Thought / Comments ?
Debbie
INet: djbyrne@us.ibm.com
Lotus Notes : djbyrne@ibmus
Phone: (512)838-1930 ( T/L 678 )