[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Model and application defined permission

To: "Larry S. Bartz" <lbartz@parnelli.indy.cr.irs.gov>
Subject: Re: ACL Model and application defined permission
From: Bruce Greenblatt <bgreenblatt@directory-applications.com>
Date: Thu, 15 Feb 2001 12:10:12 -0800
Cc: Rob Byrne <Robert.Byrne@france.Sun.COM>, ietf-ldapext@netscape.com, estokes@tivoli.com, blakley@tivoli.com, djbrink@us.ibm.com, IETF Policy WG LIST <policy@raleigh.ibm.com>
In-reply-to: <3A8C29CF.8D4F6767@parnelli.indy.cr.irs.gov>
References: <5.0.2.1.0.20010214170548.00a6f4b0@pop.walltech.com> <3A8BE557.6535A170@france.sun.com> <5.0.2.1.0.20010215092438.00a86650@pop.walltech.com>

At 02:11 PM 2/15/2001 -0500, Larry S. Bartz wrote:

OK.  We agree on something.  That's always good.

I disagree with your suggestion that the scope of the ACL Model should
be extended.

The ACL is the place to manage access to the Directory representation,
the motes of data which comprise the Directory itself. The ACL Model is
scoped to manage access of Directory operations, Directory CRUD. The ACL
Model should stay in scope.

This very issue was discussed by several participants in ldapext in the
spring and summer of 1998, and maybe again later. The discussion was
initiated by those who objected to the "use" term (and its intended
functionality) of the original and early ACL Model drafts. The outcome,
the result of those discussions, was the focused and purposeful scope of
the current ACL Model.

As I recall, the original draft of the model generated much unconstructive disagreement, and the chairs called for a vote on whether the work should even continue. As a result of the vote, the original model was pitched. The "use" construct defined there was not the same as what I am proposing. From the archives:

"Use - Execute; useful in controlling access to the objects referred to by directory entries than in controlling access to the directory entries themselves." (from draft-ietf-ldapext-acl-model-00.txt)

Clearly this is not the same as application defined permissions. I have been following this issue from the beginning, and I don't ever remember a discussion specifically related to application defined permissions taking place on the list. Of course there used to be a participant on the mailing list whose postings I stopped reading (list historians can probably guess who this is), so it is possible that I missed it.

Bruce

Bruce Greenblatt

Users, organizations, file servers, books, hats, and whatever else can
be represented in the Directory, but they are not a part of the ACL
Model.

By the same token, Policies (which can include authorization policies)
which apply to certain entities can also be represented in the
Directory.
As proof, see the work products of the Policy WG and the work products
of
DMTF CIM. These Policies should not be part of the ACL Model.

--
#::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::|
# Larry Bartz                           |                              |
#  lbartz@parnelli.indy.cr.irs.gov      | Ooo, ooo,                    |
#                                       | Ooo, ooo, oooooo!            |
#                                       | I've got a gnu attitude!     |
#  voice (317) 226-7060                 |                              |
#  FAX   (317) 226-6378                 |                              |
#::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::|

References:
- ACL Model and application defined permission
  - From: Bruce Greenblatt <bgreenblatt@directory-applications.com>
- Re: ACL Model and application defined permission
  - From: Rob Byrne <Robert.Byrne@france.Sun.COM>
- Re: ACL Model and application defined permission
  - From: Bruce Greenblatt <bgreenblatt@directory-applications.com>
- Re: ACL Model and application defined permission
  - From: "Larry S. Bartz" <lbartz@parnelli.indy.cr.irs.gov>

Prev by Date: Re: ACL Model and application defined permission
Next by Date: Java LDAP API: Unsolicited notifications
Index(es):
- Chronological
- Thread