[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Considering Attribute Subtypes during ACL evaluation

To: "'hahnt@us.ibm.com'" <hahnt@us.ibm.com>, ietf-ldapext@netscape.com
Subject: RE: Considering Attribute Subtypes during ACL evaluation
From: "Skovgaard, Erik" <Erik.Skovgaard@icn.siemens.com>
Date: Mon, 2 Oct 2000 10:09:58 -0700

Tim,
 
I am not so sure this is a good idea.  I may want to allow anonymous readers
access to sn, but not to gn, for instance.  While those of us "in the know"
may be able to set up a specific deny on gn, it may be less intuitive to
people with less knowledge of the standards.
 
Cheers,                                 ....Erik.
Erik Skovgaard
Siemens Meta-Directory Solutions
Phone: +1 604-204-0750
Fax:   +1 604-204-0760 

-----Original Message-----
From: hahnt@us.ibm.com [mailto:hahnt@us.ibm.com]
Sent: Saturday, September 30, 2000 04:13
To: ietf-ldapext@netscape.com
Subject: Re: Considering Attribute Subtypes during ACL evaluation



Jim, 

Good question! 

I know that implementing access control such that attribute inheritance were
taken into account would definitely be harder, but I feel that attribute
inheritance SHOULD be considered during access control checks. 

Thus, if some entity is granted read and write privileges to 'name', then
they should be allowed the same privileges to 'cn', 'sn', and 'cn;lang-en'.
(unless overidden by another permission that disallows such access).

Regards,
Tim Hahn

Internet: hahnt@us.ibm.com
Internal: Timothy Hahn/Endicott/IBM@IBMUS or IBMUSM00(HAHNT)
phone: 607.752.6388     tie-line: 8/852.6388
fax: 607.752.3681


To:        <ietf-ldapext@netscape.com> 
cc:        "Duane Buss" <DBuss@novell.com> 
Subject:        Considering Attribute Subtypes during ACL evaluation 




Are attribute subtypes considered when calculating access  control
information? In other words, if I have read permission to the "name"
attribute, does that automatically give me read permission to sn, cn,
givenName,  etc? 
  
I can't find any coverage of this in X.511 or the latest ACL  draft. Due to
the lack of anyone talking about it, my assumption is that, no,  permissions
do not flow down attribute inheritance chains, they must be  explicitly
stated for each attribute. 
  
Of course with LDAP, this brings up the question of whether  they apply to
attribute type options. It seems to make sense, under most  circumstances,
to apply them in this case. Oh, what a world - what a  world.

Attachment: Skovgaard, Erik.vcf
Description: Binary data

Prev by Date: Re: Considering Attribute Subtypes during ACL evaluation
Next by Date: Re: comments on draft-ietf-ldapext-ldap-java-api-11.txt
Index(es):
- Chronological
- Thread