To: "Jim Sermersheim" <JIMSE@novell.com>
cc: <ietf-ldapext@netscape.com>, "Duane Buss" <DBuss@novell.com>
Subject: Re: Considering Attribute Subtypes during ACL evaluation
At 05:37 PM 9/28/00 -0600, Jim Sermersheim wrote:
>Are attribute subtypes considered when calculating access control information? In other words, if I have read permission to the "name" attribute, does that automatically give me read permission to sn, cn, givenName, etc?
>
>I can't find any coverage of this in X.511 or the latest ACL draft. Due to the lack of anyone talking about it, my assumption is that, no, permissions do not flow down attribute inheritance chains, they must be explicitly stated for each attribute.
>
>Of course with LDAP, this brings up the question of whether they apply to attribute type options. It seems to make sense, under most circumstances, to apply them in this case. Oh, what a world - what a world.
When I asked this question previously, the answer was "no, ACLs
apply only to the specified type, not subtypes".
I have argued that each ACL should be applied subtypes. One
issue in adding such is which ACL takes precedence. This is
complicated due to multiple inheritance due to attribute
description options.
One possible precedence:
type;a;b;c
type
supertype;a;b;c
supertype
Of course, if one of the options was "binary", it sure would be
nice to allow
type;a;binary;c
type;a;c
type
supertype;a;binary;c
supertype;a;c
supertype
But this seems overly complicated. An alternative would be to
say that ACLs apply to attribute types, not attribute descriptions.
So, access to "type;a;b;c" would be governed by:
type
supertype
I prefer this.
Kurt