[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapACI permissions

To: ietf-ldapext@netscape.com
Subject: Re: ldapACI permissions
From: djbyrne@us.ibm.com
Date: Wed, 22 Mar 2000 17:22:59 -0600
Cc: Kyungae_Lim@iris.com
Content-disposition: inline
Resent-date: Wed, 22 Mar 2000 15:32:02 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <OJxukB.A.haB.GfV24@glacier>
Resent-sender: ietf-ldapext-request@netscape.com



My response < djb >


Thanks,

Debora Byrne
Manager Secure Way Directory Config / User Interface
INet: djbyrne@us.ibm.com
Phone: (512)838-1930 ( T/L 678 )


                George_Robert_Blakley_III@
                    tivoli.com                        To:
Kyungae_Lim@iris.com
                                                      cc:
ietf-ldapext@netscape.com, djbyrne@us.ibm.com
                    03/22/00 12:10 PM                 Subject:     Re:
ldapACI permissions

All,




<bb>
<bb> What we're really talking about here is the default policy which
applies to
a newly created
<bb> object.
It is not just ldapACI - the question is, should a user with the 'add'
permission be allowed to set ANY attribute value during object creation
time, or is there a way for the administrator to restrict access to enter
certain (sensitive) attributes while still granting the 'add' permission?
<bb>
<bb> Our choices here seem to be:
<bb>
<bb> (1) Allow the creator of the object to set values for specified
attributes
(including ldapACI) based
<bb>       on permissions governed by an ACL inherited from an ancestor
entry.
<bb> (2) Allow the creator of the object to set values for all attributes
EXCEPT
ldapACI attributes
<bb>       -- only the policy owner can change the ldapACI attributes
<bb> (3) Allow the creator of the object to set values for ALL attributes -
in
this case control over the
<bb>       ldapACI for the newly created object is governed by the ACL on
the
containing directory.
<bb>
<bb> Can we get some discussion toward a consensus here?

How is 3) different from 1)?

< djb > We were not specific enough in option 3.

In option 3, we allow all values to be set at object creation time.
 After creation, the attributes are controlled by the ldapACI attribute.

In option 1, the attributes which can be specified at object creation time
are
determined by an ancestor entries ldapACI. The creator would need 'write'
access to
the attributes (s)he wants to set. After creation time, they are controlled
by
the ldapACI attribute at the entry ( possibly the value is inherited from
an ancestor )

( Option 2 is similar to option 3 except that the ldapACI value can not set
)


--bob

Bob Blakley
Chief Scientist
Tivoli SecureWay Business Unit

Prev by Date: Re: ldapACI permissions
Next by Date: Section 7 of ACL Model draft
Index(es):
- Chronological
- Thread