|
Hi,
The ACL model draft says that more specific functions should
override less specific ones, and deny overrides grant. Also, it says specificity
applies to both subject and attributes.
Now given two ACIs for a target entry:
aci1: entry#grant:r#attrname#group:cn=g1,o=n
aci2: entry#grant:w#[all]#authzID-dn:cn=u1,o=n
If u1 belongs to group g1, which aci takes precedence?
aci1: because attrname is more specific than [all] or
aci2: because authxID-dn is more specific than
group
What happens if one is grant:w and another is deny:w in the
above case?
What is the precedence relation between various dimensions of ACIs:
scope, target specificity, subject specificity, attribute specificity, and
grant/deny.
Thanks and Regards,
Haripriya
|