[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Comments on the ACL Model draft
I'll try to clarify a couple of places where our comments weren't clear
enough.
Rick Huber
: >Page 15:
: >
: >TECHNICAL:
: >
: > means that this group (Dept XYZ) is granted permission to
: > read and search all attributes except attr1 because attr1
: > is more specific than "[all]".
: > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
: >
: >What if it were two collections rather than specific attribute vs. [all]?
: >How do you determine which is "more specific"?
:
: (EJS) Collection is more specific than All. Collections are server defined,
: so it is possible, but not probable, for an attribute to be a member of both
: collections. The specificity would be server defined. Also, keep in mind
: that I'm soliciting input on whether to keep or remove 'collection' - we'll do
: whatever is the consensus.
The question was meant to address the case where an attribute is a
member of more than one collection and the different collections have
different permissions.
As for whether to keep or remove collections, my vote is to remove them
and put in the "list of attributes" from one of the earlier email
exchanges on this topic. But you will still have the issue of what to
do when one attribute appears in two different lists and the different
lists have different permissions.
: >TECHNICAL:
: >
: >"deny" takes precedence over "grant", but groups have precedence over
: >roles. What happens if a permission is granted to a subject by virtue
: >of group membership but denied by virtue of role membership?
:
: (EJS) Let's answer when we settle on precedence of groups and roles.
:
: >What is the precedence among precedence groupings?
:
: (EJS) If I understand the question correctly, none; union semantics would
: apply and deny takes precedence over grant when both are listed.
I think we didn't make the question clear. There is a precedence of
dnTypes, and there is a precedence of grant/deny. It is not clear how
these precedences interact. We used group vs role only as an example.
The question could be restated as:
What happens if a permission is granted to a subject by virtue of the
subject's access-ID but denied by virtue of subtree membership? Since
access-ID has precedence over subtree membership, the permission
should be granted, but since deny has precedence over grant it should
be denied. Which precedence rule applies?
I don't think union semantics apply to this question.
: >Page 31:
: >
: >TECHNICAL:
: >
: >Should the security considerations section include some mention of the
: >special problems that might arise in a replicated environment? What
: >happens when new entries or attributes arrive at a replicated server
: >out of sequence with the arrival of associated ldapACI data?
:
: (EJS) I suggest that at a future time there be a draft that discusses the
: interaction of access control with other directory functions/features. In the
: case of replication, perhaps we should look at adding this to one of the
: (many) ldup drafts. I'll put this on my list to discuss since I author an
: ldup draft.
I don't think that we were suggesting that this issue must be resolved
in the draft, just that it should be raised as a security concern that
has to be considered. I agree that a full treatment of the issue is
worth detailed examination in an LDUP document, but it is a security
consideration related to the subject of this draft and should be
noted as such in this draft.