[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Comments on aci-model-04
David,
As I understand it, the effect of the new dn-type, subtree, is to change the subject(s) of the aci from a single object (given by the dn) to an entire subtree of objects (with the given dn at the root of the subtree). Rights issued to a container object are also given to all the descendants of that container.
As I see it there are several ways to proceed.
1. No change. Access-id is unchanged. Do not define subtree as a dn-type.
2. Add subtree as a dn-type. Access-id is unchanged.
3. Extend definition of Access-id. Change definition of access-id to include the subtree. Do not define subtree as a dn-type.
I think most of us agree that we don't want option 1.
The primary difference between options 2 and 3 is that 2 has the ability to grant rights exclusively to a container (using access-id) without giving the same rights to the subtree. Thus 2 is more powerful than 3.
But is this power useful? I have worked with a system similar to option 3. My experience shows that one rarely binds as a container (ou, o, c) and thus the distinction between 2 and 3 is never utilized. Since it is not utilized, why bother with the complication of implementing it?
Frankly, I would be happy with either 2 or 3. I prefer 3 because I believe it to be just as useful, yet simpler to implement.
--the walrus
a.k.a. Brian Jarvis
bjarvis@novell.com
David Chadwick wrote
>> David,
>> I think perhaps I didn't write myresponse clearly. There is only
>> one type of group and it contains a group of names, e.g. groupOfNames
>> object. It is the name of the group that is typically placed on an access
>> control list (implementation) to state the access for the names (DNs)
>> contained in that group. Ellen
>Then I would ask that subtree be added please
>David
<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META content='"MSHTML 4.72.3110.7"' name=GENERATOR>
</HEAD>
<BODY bgColor=#ffffff
style="FONT: 10pt Arial; MARGIN-LEFT: 2px; MARGIN-TOP: 2px">
<DIV>David,</DIV>
<DIV> </DIV>
<DIV>As I understand it, the effect of the new dn-type, subtree, is to change
the subject(s) of the aci from a single object (given by the dn) to an entire
subtree of objects (with the given dn at the root of the subtree). Rights
issued to a container object are also given to all the descendants of that
container.</DIV>
<DIV> </DIV>
<DIV>As I see it there are several ways to proceed.</DIV>
<DIV>1. No change. Access-id is unchanged. Do not define
subtree as a dn-type.</DIV>
<DIV>2. Add subtree as a dn-type. Access-id is unchanged.</DIV>
<DIV>3. Extend definition of Access-id. Change definition of
access-id to include the subtree. Do not define subtree as a
dn-type.</DIV>
<DIV> </DIV>
<DIV>I think most of us agree that we don't want option 1.</DIV>
<DIV> </DIV>
<DIV>The primary difference between options 2 and 3 is that 2 has the ability to
grant rights exclusively to a container (using access-id) without giving the
same rights to the subtree. Thus 2 is more powerful than 3.</DIV>
<DIV> </DIV>
<DIV>But is this power useful? I have worked with a system similar to
option 3. My experience shows that one rarely binds as a container (ou, o,
c) and thus the distinction between 2 and 3 is never utilized. Since it is
not utilized, why bother with the complication of implementing it?</DIV>
<DIV> </DIV>
<DIV>Frankly, I would be happy with either 2 or 3. I prefer 3 because I
believe it to be just as useful, yet simpler to implement.</DIV>
<DIV> </DIV>
<DIV>--the walrus</DIV>
<DIV>a.k.a. Brian Jarvis</DIV>
<DIV><A href="mailto:bjarvis@novell.com">bjarvis@novell.com</A></DIV>
<DIV> </DIV>
<DIV><BR>David Chadwick wrote</DIV>
<DIV><FONT style="BACKGROUND-COLOR: #ffffff">></FONT>> David,<BR>>>
I think perhaps I didn't write myresponse clearly. There is
only<BR>>> one type of group and it contains a group of names, e.g.
groupOfNames<BR>>> object. It is the name of the group that is typically
placed on an access<BR>>> control list (implementation) to state the
access for the names (DNs)<BR>>> contained in that group.
Ellen<BR><BR>>Then I would ask that subtree be added please</DIV>
<DIV><BR>>David<BR></DIV></BODY></HTML>
BEGIN:VCARD
VERSION:2.1
X-GWTYPE:USER
FN:Brian Jarvis
TEL;WORK:801-861-3856
ORG:;NDS Administration
TEL;PREF;FAX:801-861-2292
EMAIL;WORK;PREF;NGW:BJARVIS@novell.com
N:Jarvis;Brian
TITLE:Engineer
ADR;INTL;WORK;PARCEL;POSTAL:;PRV-F221;122 E 1700 S;Provo;UT;84606;USA
LABEL;INTL;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Brian Jarvis=0A=
PRV-F221=0A=
122 E 1700 S=0A=
Provo, UT 84606=0A=
USA
LABEL;DOM;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Brian Jarvis=0A=
PRV-F221=0A=
122 E 1700 S=0A=
Provo, UT 84606
TEL;HOME:801-226-6636
TEL;PREF:801-861-3856
X-GWUSERID:BJARVIS
END:VCARD