[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Examples (differing privileges, DNs) for aci-model-04
>
> Here is Example 4 again, in a form that should be clearer.
>
>
> Example #4
> dn: o=XYZ, c=US
> aci#4.1: 1.2.3.4#subtree#grant;w;attribute4;#access-id#cn=bjarvis,
> ou=ABC aci#4.2: 1.2.3.4#subtree#;r;attribute4;#access-id#ou=ABC
>
> in aci#4.2, you can replace "access-id" with "subtree" or assume that
> access-id has been extended to include the subtree.
>
> What rights does cn=bjarvis have to attribute4 of o=XYZ, c=US?
> Two reasonable answers:
> A4.1: w (aci#4.2 has no bearing--rights on an object override those
> given to an ancestor) A4.2: r,w (rights are aci#1.1 "OR"
> aci#1.2--rights on an object = direct rights + rights given to
> ancestors) I can see how some might prefer A4.1, but I strongly prefer
> A4.2.
I agree with. r, w seems best to me. Jarvis gains r because he is a
member of the ABC group
David
>
> --the walrus
> a.k.a. Brian Jarvis
> bjarvis@novell.com
>
***************************************************
David Chadwick
IS Institute, University of Salford, Salford M5 4WT
Tel +44 161 295 5351 Fax +44 161 745 8169
Mobile +44 790 167 0359
Email D.W.Chadwick@salford.ac.uk
Home Page http://www.salford.ac.uk/its024/chadwick.htm
Understanding X.500 http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string MLJ9-DU5T-HV8J
***************************************************