[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Comments on aci-model-04

To: djbyrne@us.ibm.com, ietf-ldapext@netscape.com
Subject: Re: Comments on aci-model-04
From: Erik Skovgaard <eskovgaard@geotrain.com>
Date: Mon, 25 Oct 1999 16:46:10 -0700
Cc: stokes@austin.ibm.com
In-reply-to: <85256815.0057F4F1.00@d54mta08.raleigh.ibm.com>
Resent-date: Mon, 25 Oct 1999 16:49:15 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"p21p3.A.B8G.zxOF4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Debbie,

The correct term is "prescriptive ACI".

BTW, it would be nice if we could specify the end of the tree, too.

Cheers,              ....Erik.

--------------------------------
Erik Skovgaard
Enterprise Directory Engineering
GeoTrain Corp
(Global Knowledge Network)
http://www.geotrain.com

At 10:58 1999-10-25 -0500, djbyrne@us.ibm.com wrote:
>
>
>
>All:
>
>There's been several requests for the concept of an acl applying to a
>subtree of DNs.
>
>The proposal on the table is to add an additional identifier to the subject
>Type: subtree. Subtree would mean that the aci entry would apply to the DN
>and all descendants of that dn.
>aci: 1.2.3.4#entry#grant;r;w;[all];#subtree#ou=Org,c=Country
>This aci would be applicable to: ou=Org,c=Country ,   cn=Group1
>,ou=Org,c=Country etc.
>
>Including subtree, the precedence order for subject Types would be:
>(Lowest- least specific) subtree - role - group - accessId ( highest - most
>specific )
>
>I don't really like using the term subtree here, since it's already been
>used in the BNF. I rather use a distinct term so there isn't any confusion,
>so if anyone can think of another term, please speak up.
>
>Debbie
>
>
>INet: djbyrne@us.ibm.com
>Lotus Notes : djbyrne@ibmus
>Phone: (512)838-1930 ( T/L 678 )
>
>
>
>

References:
- Re: Comments on aci-model-04
  - From: djbyrne@us.ibm.com

Prev by Date: Compound ACI values
Next by Date: Re: FYI: Directory definitions document
Index(es):
- Chronological
- Thread