Compound ACI values

[David Ward <DSWARD@novell.com>]

For some time I have wondered what advantage the ability to define "compound" aci values offers.  By "compound", I mean the ability to declare multiple <right>s for a subject in one aci.  An example might be helpful:

           aci#1:  1.2.3.4#subtree#deny;r,w;[all]$grant;r,s,c;attribute1,attribute2#access-id#cn=dsward....

This value could also be declared as two values:

           aci#2:  1.2.3.4#subtree#deny;r,w;[all]#access-id#cn=dsward...
           aci#3:  1.2.3.4#subtree#grant;r,s,c;attribute1, attribute2#access-id#cn=dsward...

or three values:

           aci#4:  1.2.3.4#subtree#deny;r,w;[all]#access-id#cn=dsward...
           aci#5:  1.2.3.4#subtree#grant;r,s,c;attribute1#access-id#cn=dsward...
           aci#6:  1.2.3.4#subtree#grant;r,s,c;attribute2#access-id#cn=dsward...

The doc defines the aci attribute as a multi-valued attribute so why allow for "complex" values.  Instead of one large value, break it into multiple simple values (scope#action;permissions;attribute#dntype#subject).  

From a developers perspective, I think multiple values are easier to manage.  If there is one "complex" value, what do I do when I want to delete some access?  I would have to delete the value, parse out the parts I want to keep, and add back the information.  Or, what if a simple value like aci#6 exists and an application adds "complex" aci#1.  Does the server add only the part that doesn't already exist?  Should the server return an "already present" error?  I developers expect to be able to add an attribute value and turn around and read it.  If the server modifies it to combine overlapping aci values or only saves part of the value, I think it will be confusing.  


David Ward
dsward@novell.com