[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL Model and application defined permission
As I understand it, in the current ACL Model draft, the kinds of
permissions that an LDAP server understands are limited to those defined in
clause 4.1.1. Is this accurate? The reason that I ask, is that I would
like to store application defined permissions as well. For example, I have
an application the allows users to perform several different actions on
various types of objects. Let's call these objects foo objects, and the
actions foo-1 through foo-n. None of these correspond to the add, delete,
export, etc. permissions defined in clause 4.1.1. I would like to be able
to have a ACI assigned to an entry that represents a foo object that grants
permissions to perform some foo-i actions to some list of subject entries
(i.e. users, groups, organizationalUnits, domainContexts, etc.). Can I
grant these permissions with the mechanisms currently defined in the ACL
Model draft. My presumption is that this would require a new permission
level, but I don't see how to shoe-horn this in to the BNF of 4.1.1 or the
ASN.1 of 4.1.2.
I would also like to be able to verify that a subject entry has the
appropriate rights to perform an operation against a specified object. How
is this supposed to work in the existing model? Either the effective
rights control or extended operation ought to be able to work for this, but
the definitions are confusing to me. There should be a new clause 11.1.4
that gives a specific example of a Search request with the control that
shows how to do permission verification. Similarly, there should be a new
clause 12.2 that gives a specific example of the use of the extended
operation. I'd note that in both of these cases, there ought to be a way
for the LDAP client to list out the permissions in which it is interested.
I'd also like to be able to find all of the entries in a specified scope to
which a specified user has permission to perform action foo. I'm guessing
that I'm supposed to use the effective rights control for this, but without
the example, I'm at a loss as to how to build the search and the control
appropriately.
Overall, the model appears to be very close to meeting the requirements for
application defined permissions.
Thanks,
Bruce Greenblatt