[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Comments on aci-model-04

To: stokes@austin.ibm.com, d.w.chadwick@salford.ac.uk, djbyrne@us.ibm.com
Subject: Re: Comments on aci-model-04
From: Brian Jarvis <BJARVIS@novell.com>
Date: Tue, 26 Oct 1999 13:31:45 -0600
Cc: ietf-ldapext@netscape.com
Resent-date: Tue, 26 Oct 1999 12:32:28 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"Ql-0lD.A.ilB.-GgF4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

David,

As I understand it, the effect of the new dn-type, subtree, is to change the subject(s) of the aci from a single object (given by the dn) to an entire subtree of objects (with the given dn at the root of the subtree).  Rights issued to a container object are also given to all the descendants of that container.

As I see it there are several ways to proceed.
1.  No change.  Access-id is unchanged.  Do not define subtree as a dn-type.
2.  Add subtree as a dn-type.  Access-id is unchanged.
3.  Extend definition of Access-id.  Change definition of access-id to include the subtree.  Do not define subtree as a dn-type.

I think most of us agree that we don't want option 1.

The primary difference between options 2 and 3 is that 2 has the ability to grant rights exclusively to a container (using access-id) without giving the same rights to the subtree.  Thus 2 is more powerful than 3.

But is this power useful?  I have worked with a system similar to option 3.  My experience shows that one rarely binds as a container (ou, o, c) and thus the distinction between 2 and 3 is never utilized.  Since it is not utilized, why bother with the complication of implementing it?

Frankly, I would be happy with either 2 or 3.  I prefer 3 because I believe it to be just as useful, yet simpler to implement.

--the walrus
a.k.a. Brian Jarvis
bjarvis@novell.com


David Chadwick wrote
>> David,
>> I think perhaps I didn't write myresponse clearly.  There is only
>> one type of group and it contains a group of names, e.g. groupOfNames
>> object. It is the name of the group that is typically placed on an access
>> control list (implementation) to state the access for the names (DNs)
>> contained in that group. Ellen

>Then I would ask that subtree be added please

>David

<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>

<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META content='"MSHTML 4.72.3110.7"' name=GENERATOR>
</HEAD>
<BODY bgColor=#ffffff 
style="FONT: 10pt Arial; MARGIN-LEFT: 2px; MARGIN-TOP: 2px">
<DIV>David,</DIV>
<DIV>&nbsp;</DIV>
<DIV>As I understand it, the effect of the new dn-type, subtree, is to change 
the subject(s) of the aci from a single object (given by the dn) to an entire 
subtree of objects (with the given dn at the root of the subtree).&nbsp; Rights 
issued to a container object are also given to all the descendants of that 
container.</DIV>
<DIV>&nbsp;</DIV>
<DIV>As I see it there are several ways to proceed.</DIV>
<DIV>1.&nbsp; No change.&nbsp; Access-id is unchanged.&nbsp; Do not define 
subtree as a dn-type.</DIV>
<DIV>2.&nbsp; Add subtree as a dn-type.&nbsp; Access-id is unchanged.</DIV>
<DIV>3.&nbsp; Extend definition of Access-id.&nbsp; Change definition of 
access-id to include the subtree.&nbsp; Do not define subtree as a 
dn-type.</DIV>
<DIV>&nbsp;</DIV>
<DIV>I think most of us agree that we don't want option 1.</DIV>
<DIV>&nbsp;</DIV>
<DIV>The primary difference between options 2 and 3 is that 2 has the ability to 
grant rights exclusively to a container (using access-id) without giving the 
same rights to the subtree.&nbsp; Thus 2 is more powerful than 3.</DIV>
<DIV>&nbsp;</DIV>
<DIV>But is this power useful?&nbsp; I have worked with a system similar to 
option 3.&nbsp; My experience shows that one rarely binds as a container (ou, o, 
c) and thus the distinction between 2 and 3 is never utilized.&nbsp; Since it is 
not utilized, why bother with the complication of implementing it?</DIV>
<DIV>&nbsp;</DIV>
<DIV>Frankly, I would be happy with either 2 or 3.&nbsp; I prefer 3 because I 
believe it to be just as useful, yet simpler to implement.</DIV>
<DIV>&nbsp;</DIV>
<DIV>--the walrus</DIV>
<DIV>a.k.a. Brian Jarvis</DIV>
<DIV><A href="mailto:bjarvis@novell.com";>bjarvis@novell.com</A></DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>David Chadwick wrote</DIV>
<DIV><FONT style="BACKGROUND-COLOR: #ffffff">&gt;</FONT>&gt; David,<BR>&gt;&gt; 
I think perhaps I didn't write myresponse clearly.&nbsp; There is 
only<BR>&gt;&gt; one type of group and it contains a group of names, e.g. 
groupOfNames<BR>&gt;&gt; object. It is the name of the group that is typically 
placed on an access<BR>&gt;&gt; control list (implementation) to state the 
access for the names (DNs)<BR>&gt;&gt; contained in that group. 
Ellen<BR><BR>&gt;Then I would ask that subtree be added please</DIV>
<DIV><BR>&gt;David<BR></DIV></BODY></HTML>

BEGIN:VCARD
VERSION:2.1
X-GWTYPE:USER
FN:Brian Jarvis
TEL;WORK:801-861-3856
ORG:;NDS Administration
TEL;PREF;FAX:801-861-2292
EMAIL;WORK;PREF;NGW:BJARVIS@novell.com
N:Jarvis;Brian
TITLE:Engineer
ADR;INTL;WORK;PARCEL;POSTAL:;PRV-F221;122 E 1700 S;Provo;UT;84606;USA
LABEL;INTL;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Brian Jarvis=0A=
PRV-F221=0A=
122 E 1700 S=0A=
Provo, UT  84606=0A=
USA
LABEL;DOM;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Brian Jarvis=0A=
PRV-F221=0A=
122 E 1700 S=0A=
Provo, UT  84606
TEL;HOME:801-226-6636
TEL;PREF:801-861-3856
X-GWUSERID:BJARVIS
END:VCARD

Prev by Date: Re: Examples (differing privileges, DNs) for aci-model-04
Next by Date: Re: Examples (differing privileges, DNs) for aci-model-04
Index(es):
- Chronological
- Thread