[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Examples (differing privileges, DNs) for aci-model-04

To: d.w.chadwick@salford.ac.uk
Subject: Re: Examples (differing privileges, DNs) for aci-model-04
From: Brian Jarvis <BJARVIS@novell.com>
Date: Tue, 26 Oct 1999 14:13:38 -0600
Cc: ietf-ldapext@netscape.com
Resent-date: Tue, 26 Oct 1999 13:15:11 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"DO0oP.A.3EE.augF4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

David Chadwick wrote:
>> Example #4
>> dn: o=XYZ, c=US
>> aci#4.1: 1.2.3.4#subtree#grant;w;attribute4;#access-id#cn=bjarvis
>> aci#4.2: 1.2.3.4#subtree#;r;attribute4;#access-id#cn=ABC
>> 
>> What rights does cn=bjarvis have to attribute4 of o=XYZ, c=US?
>> Two reasonable answers:
>> A4.1: w    (aci#24.2 has no bearing--no "identity equivalence")
>> A4.2: r,w    (rights are aci#1.1 "OR" aci#1.2 because of "identity
>> equivalence") I can see how some might prefer A4.1, but I strongly
>> prefer A4.2.

>I dont follow where your identity equivalence came from. Sorry. 
>Was ABC meant to be an alias of bjarvis?

Obviously I did not explain well enough.  My appologies.  ABC is the parent of bjarvis.
Earlier in that posting, I wrote:

>Please excuse my abbreviated LDIF format:

...
>3.  I've only given the RDN instead of full DNs on the aci.
>     cn=bjarvis, ou=ABC, o=XYZ, c=US

Here is Example 4 again, in a form that should be clearer.

Example #4
dn: o=XYZ, c=US
aci#4.1: 1.2.3.4#subtree#grant;w;attribute4;#access-id#cn=bjarvis, ou=ABC
aci#4.2: 1.2.3.4#subtree#;r;attribute4;#access-id#ou=ABC

in aci#4.2, you can replace "access-id" with "subtree" or assume that access-id has been extended to include the subtree.

What rights does cn=bjarvis have to attribute4 of o=XYZ, c=US?
Two reasonable answers:
A4.1: w    (aci#4.2 has no bearing--rights on an object override those given to an ancestor)
A4.2: r,w    (rights are aci#1.1 "OR" aci#1.2--rights on an object = direct rights + rights given to ancestors)
I can see how some might prefer A4.1, but I strongly prefer A4.2.

--the walrus
a.k.a. Brian Jarvis
bjarvis@novell.com

<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>

<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META content='"MSHTML 4.72.3110.7"' name=GENERATOR>
</HEAD>
<BODY bgColor=#ffffff 
style="FONT: 10pt Arial; MARGIN-LEFT: 2px; MARGIN-TOP: 2px">
<DIV>David Chadwick wrote:</DIV>
<DIV>&gt;&gt; Example #4<BR>&gt;&gt; dn: o=XYZ, c=US<BR>&gt;&gt; aci#4.1: 
1.2.3.4#subtree#grant;w;attribute4;#access-id#cn=bjarvis<BR>&gt;&gt; aci#4.2: 
1.2.3.4#subtree#;r;attribute4;#access-id#cn=ABC<BR>&gt;&gt; <BR>&gt;&gt; What 
rights does cn=bjarvis have to attribute4 of o=XYZ, c=US?<BR>&gt;&gt; Two 
reasonable answers:<BR>&gt;&gt; A4.1: w&nbsp;&nbsp;&nbsp; (aci#24.2 has no 
bearing--no &quot;identity equivalence&quot;)<BR>&gt;&gt; A4.2: 
r,w&nbsp;&nbsp;&nbsp; (rights are aci#1.1 &quot;OR&quot; aci#1.2 because of 
&quot;identity<BR>&gt;&gt; equivalence&quot;) I can see how some might prefer 
A4.1, but I strongly<BR>&gt;&gt; prefer A4.2.<BR><BR>&gt;I dont follow where 
your identity equivalence came from. Sorry. <BR>&gt;Was ABC meant to be an alias 
of bjarvis?<BR></DIV>
<DIV>&nbsp;</DIV>
<DIV>Obviously I did not explain well enough.&nbsp; My appologies.&nbsp; ABC is 
the parent of bjarvis.</DIV>
<DIV>Earlier in that posting, I wrote:</DIV>
<DIV>&nbsp;</DIV>
<DIV>&gt;Please excuse my abbreviated LDIF format:<BR></DIV>
<DIV>...</DIV>
<DIV>&gt;3.&nbsp; I've only given the RDN instead of full DNs on the 
aci.<BR>&gt;&nbsp;&nbsp;&nbsp;&nbsp; cn=bjarvis, ou=ABC, o=XYZ, c=US<BR><BR>Here 
is Example 4 again, in a form that should be clearer.<BR></DIV>
<DIV>&nbsp;</DIV>
<DIV>Example #4<BR>dn: o=XYZ, c=US<BR>aci#4.1: 
1.2.3.4#subtree#grant;w;attribute4;#access-id#cn=bjarvis, ou=ABC<BR>aci#4.2: 
1.2.3.4#subtree#;r;attribute4;#access-id#ou=ABC</DIV>
<DIV>&nbsp;</DIV>
<DIV>in aci#4.2, you can replace &quot;access-id&quot; with &quot;subtree&quot; 
or assume that access-id has been extended to include the subtree.<BR><BR>What 
rights does cn=bjarvis have to attribute4 of o=XYZ, c=US?<BR>Two reasonable 
answers:<BR>A4.1: w&nbsp;&nbsp;&nbsp; (aci#4.2 has no bearing--rights on an 
object override those given to an ancestor)<BR>A4.2: r,w&nbsp;&nbsp;&nbsp; 
(rights are aci#1.1 &quot;OR&quot; aci#1.2--rights on an object = direct rights 
+ rights given to ancestors)<BR>I can see how some might prefer A4.1, but I 
strongly prefer A4.2.<BR><BR>--the walrus</DIV>
<DIV>a.k.a. Brian Jarvis</DIV>
<DIV><A href="mailto:bjarvis@novell.com";>bjarvis@novell.com</A></DIV>
<DIV>&nbsp;</DIV></BODY></HTML>

BEGIN:VCARD
VERSION:2.1
X-GWTYPE:USER
FN:Brian Jarvis
TEL;WORK:801-861-3856
ORG:;NDS Administration
TEL;PREF;FAX:801-861-2292
EMAIL;WORK;PREF;NGW:BJARVIS@novell.com
N:Jarvis;Brian
TITLE:Engineer
ADR;INTL;WORK;PARCEL;POSTAL:;PRV-F221;122 E 1700 S;Provo;UT;84606;USA
LABEL;INTL;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Brian Jarvis=0A=
PRV-F221=0A=
122 E 1700 S=0A=
Provo, UT  84606=0A=
USA
LABEL;DOM;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Brian Jarvis=0A=
PRV-F221=0A=
122 E 1700 S=0A=
Provo, UT  84606
TEL;HOME:801-226-6636
TEL;PREF:801-861-3856
X-GWUSERID:BJARVIS
END:VCARD

Prev by Date: Re: Comments on aci-model-04
Next by Date: [no subject]
Index(es):
- Chronological
- Thread