[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL Model and application defined permission

To: ietf-ldapext@netscape.com
Subject: ACL Model and application defined permission
From: Bruce Greenblatt <bgreenblatt@directory-applications.com>
Date: Wed, 14 Feb 2001 17:33:17 -0800
Cc: estokes@tivoli.com, blakley@tivoli.com, djbrink@us.ibm.com, rbyrne@france.sun.com

As I understand it, in the current ACL Model draft, the kinds of permissions that an LDAP server understands are limited to those defined in clause 4.1.1. Is this accurate? The reason that I ask, is that I would like to store application defined permissions as well. For example, I have an application the allows users to perform several different actions on various types of objects. Let's call these objects foo objects, and the actions foo-1 through foo-n. None of these correspond to the add, delete, export, etc. permissions defined in clause 4.1.1. I would like to be able to have a ACI assigned to an entry that represents a foo object that grants permissions to perform some foo-i actions to some list of subject entries (i.e. users, groups, organizationalUnits, domainContexts, etc.). Can I grant these permissions with the mechanisms currently defined in the ACL Model draft. My presumption is that this would require a new permission level, but I don't see how to shoe-horn this in to the BNF of 4.1.1 or the ASN.1 of 4.1.2.

I would also like to be able to verify that a subject entry has the appropriate rights to perform an operation against a specified object. How is this supposed to work in the existing model? Either the effective rights control or extended operation ought to be able to work for this, but the definitions are confusing to me. There should be a new clause 11.1.4 that gives a specific example of a Search request with the control that shows how to do permission verification. Similarly, there should be a new clause 12.2 that gives a specific example of the use of the extended operation. I'd note that in both of these cases, there ought to be a way for the LDAP client to list out the permissions in which it is interested.

I'd also like to be able to find all of the entries in a specified scope to which a specified user has permission to perform action foo. I'm guessing that I'm supposed to use the effective rights control for this, but without the example, I'm at a loss as to how to build the search and the control appropriately.

Overall, the model appears to be very close to meeting the requirements for application defined permissions.

Thanks,

Bruce Greenblatt

Follow-Ups:
- Re: ACL Model and application defined permission
  - From: Rob Byrne <Robert.Byrne@france.Sun.COM>

Prev by Date: Discount Airfare
Next by Date: HEALING VISUALIZATIONS!!
Index(es):
- Chronological
- Thread