[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL access decision question

To: "Haripriya S" <SHARIPRIYA@novell.com>, <ietf-ldapext@netscape.com>
Subject: Re: ACL access decision question
From: "David Chadwick" <d.w.chadwick@salford.ac.uk>
Date: Sat, 21 Oct 2000 16:08:24 +0100
In-reply-to: <s9e6a90b.095@prv-mail25.provo.novell.com>
Organization: University of Salford

Date forwarded: 	Fri, 13 Oct 2000 05:18:03 -0700 (PDT)
Date sent:      	Fri, 13 Oct 2000 06:17:41 -0600
From:           	"Haripriya S" <SHARIPRIYA@novell.com>
To:             	<ietf-ldapext@netscape.com>
Subject:        	ACL access decision question
Forwarded by:   	ietf-ldapext@netscape.com

Haripriya

I have already raised a similar issue with Ellen. My point is that the 
aci should be ordered in a precedence order and then you move 
down the list for the particular operation you are evaluating. If it is a 
modify operation, then the aci2 would be used to grant permission 
to add values (but not remove them), and if it is a search operation 
you are evaluating, then aci1 would be used to grant read 
permission to attrname

David


> Hi,
> 
> The ACL model draft says that more specific functions should override
> less specific ones, and deny overrides grant. Also, it says
> specificity applies to both subject and attributes.
> 
> Now given two ACIs for a target entry:
> 
> aci1: entry#grant:r#attrname#group:cn=g1,o=n
> aci2: entry#grant:w#[all]#authzID-dn:cn=u1,o=n
> 
> If u1 belongs to group g1, which aci takes precedence? 
> aci1: because attrname is more specific than [all] or 
> aci2: because authxID-dn is more specific than group
> 
> What happens if one is grant:w and another is deny:w in the above
> case?
> 
> What is the precedence relation between various dimensions of ACIs:
> scope, target specificity, subject specificity, attribute specificity,
> and grant/deny.
> 
> Thanks and Regards,
> Haripriya
> 


***************************************************

David Chadwick
IS Institute, University of Salford, Salford M5 4WT
Tel +44 161 295 5351  Fax +44 161 745 8169
Mobile +44 790 167 0359
Email D.W.Chadwick@salford.ac.uk
Home Page  http://www.salford.ac.uk/its024/chadwick.htm
Understanding X.500  http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string MLJ9-DU5T-HV8J

***************************************************

References:
- ACL access decision question
  - From: "Haripriya S" <SHARIPRIYA@novell.com>

Prev by Date: Re: Returning Matched Values with LDAPv3
Next by Date: Re: Returning Matched Values with LDAPv3
Index(es):
- Chronological
- Thread