[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Considering Attribute Subtypes during ACL evaluation

To: Prasanta Behera <prasanta@netscape.com>
Subject: Re: Considering Attribute Subtypes during ACL evaluation
From: Mark Wahl <Mark.Wahl@Sun.COM>
Date: Mon, 02 Oct 2000 10:59:59 -0500
Cc: hahnt@us.ibm.com, ietf-ldapext@netscape.com
Organization: Sun Microsystems, Inc.
References: <OFF3ACCCB0.AE759A44-ON8525696A.0039BB6B@pok.ibm.com> <39D5FB0D.EC5E4F0B@netscape.com>

Prasanta Behera wrote:
> 
> Currently  the netscape/iPlanet DS ACL supports a attribute inheritance of
> subtypes e.g. if you allow access to
> "cn", it automatically means { cn, cn;* }
> 
> However, it is much harder to map "name" to "cn, sn".
> Why can't this be a UI thing? Why does it have to be
> declarative in the ACL syntax itself. It will be nice if it
> can be supported but I don't see a big reason ...

The schema and access control may be managed by different individuals.  One
can envisage a user being permitted to define a subtype of an attribute but 
not having the ability to modify access control rights.  As there are no 
rights to the new attribute, it might disappear. 

Mark Wahl
Sun Microsystems, Inc.

Prev by Date: comments on draft-ietf-ldapext-ldap-taxonomy-03.txt
Next by Date: RE: Considering Attribute Subtypes during ACL evaluation
Index(es):
- Chronological
- Thread