[Date Prev][Date Next] [Chronological] [Thread] [Top]

acess control to entry attributes

To: ietf-ldapext@netscape.com
Subject: acess control to entry attributes
From: TGullotta@enablesolutions.com
Date: Mon, 27 Mar 2000 14:47:15 -0800
Resent-date: Mon, 27 Mar 2000 14:40:03 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <mXWVsD.A._-D.2M-34@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

I'm new to this mailing list, so I hope I don't sound uneducated. I've been
reviewing the access control draft and I keep thinking of a scenario that I
don't think is covered.

The way our customers usually like the access control is to grant or deny
priveledges to attributes within the context of an object class. So, for
instance, I would like to give group1 access to all attributes of Person
objects within a subtree. Then give group2 only access to attributes cn and
sn for Person objects within the same subtree. This is not the same as
simply giving them access to all cn and sn attributes, because I don't want
them to have those permissions on non-Person objects that use the cn and sn
attributes. I know this can be done by placing the ACIs directly on each
Person entry, but this seems like a lot of work. I'd like to do if for the
subtree per object class.

Even beyond that, if the namespace is flat, it would be beneficial to not
only use the class as a filter, but maybe a more extensive search criteria.

If I'm being clear enough, how would the new specs handle these scenarios?

Thanks,
Tony Gullotta

Prev by Date: Search Engine Secrets Discovered
Next by Date: kerberos identity syntax
Index(es):
- Chronological
- Thread