[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Model and application defined permission

Bruce Greenblatt wrote:
> 
> At 12:00 PM 2/15/2001 -0500, Larry S. Bartz wrote:
> 
> >The ACL Model should be limited to support of
> >Directory operations. This is not to say that the Directory shouldn't
> >be involved in supporting access, authorization, and usage decisions for
> >entities which are external to the Directory.
> >
> 
> Larry,
> 
> I couldn't disagree more.  What you fail to mention, is that ALL entities
> are external to the directory.  The information that is stored in the
> directory is a partial representation of an external entity.  For example,
> there are many more attributes of a user than are stored in the
> directory.  Why are users, organizations, file servers, etc. internal to a
> directory, and a book or a hat external to the directory?  There is no
> obvious reason, because the directory is just keeping track certain
> properties of these entities.  The more information that is kept in the
> directory,the more valuable it is.
> 
> Bruce
> 

Bruce,

I agree with your assertion regarding the difference between an object
and the representation of an object in the Directory. My bad. I
shouldn't 
have used a double negative in the sentence which you quoted above.
Restated,
"The Directory should be involved in supporting access, authorization,
and
usage decisions for entities which are external to the Directory." We
agree to that, I think.

I also agree that the value of the Directory is proportional to the 
information it contains. Further, I agree that the Directory is a
natural
platform for associating principals and services, consumers and
suppliers,
for convenience and/or in support of security goals.

I disagree with your suggestion that the scope of the ACL Model should
be extended. 
 
The ACL is the place to manage access to the Directory representation, 
the motes of data which comprise the Directory itself. The ACL Model is
scoped to manage access of Directory operations, Directory CRUD. The ACL
Model should stay in scope.

This very issue was discussed by several participants in ldapext in the 
spring and summer of 1998, and maybe again later. The discussion was 
initiated by those who objected to the "use" term (and its intended
functionality) of the original and early ACL Model drafts. The outcome,
the result of those discussions, was the focused and purposeful scope of
the current ACL Model.  

Users, organizations, file servers, books, hats, and whatever else can
be represented in the Directory, but they are not a part of the ACL
Model. 

By the same token, Policies (which can include authorization policies)
which apply to certain entities can also be represented in the
Directory.
As proof, see the work products of the Policy WG and the work products
of
DMTF CIM. These Policies should not be part of the ACL Model.

--
#::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::|
# Larry Bartz                           |                              |
#  lbartz@parnelli.indy.cr.irs.gov      | Ooo, ooo,                    |
#                                       | Ooo, ooo, oooooo!            |
#                                       | I've got a gnu attitude!     |
#  voice (317) 226-7060                 |                              |
#  FAX   (317) 226-6378                 |                              |
#::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::|