I disagree with your suggestion that the scope of the ACL Model should
be extended.
The ACL is the place to manage access to the Directory representation,
the motes of data which comprise the Directory itself. The ACL Model is
scoped to manage access of Directory operations, Directory CRUD. The ACL
Model should stay in scope.
This very issue was discussed by several participants in ldapext in the
spring and summer of 1998, and maybe again later. The discussion was
initiated by those who objected to the "use" term (and its intended
functionality) of the original and early ACL Model drafts. The outcome,
the result of those discussions, was the focused and purposeful scope of
the current ACL Model.
Users, organizations, file servers, books, hats, and whatever else can
be represented in the Directory, but they are not a part of the ACL
Model.
By the same token, Policies (which can include authorization policies)
which apply to certain entities can also be represented in the
Directory.
As proof, see the work products of the Policy WG and the work products
of
DMTF CIM. These Policies should not be part of the ACL Model.
--
#::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::|
# Larry Bartz | |
# lbartz@parnelli.indy.cr.irs.gov | Ooo, ooo, |
# | Ooo, ooo, oooooo! |
# | I've got a gnu attitude! |
# voice (317) 226-7060 | |
# FAX (317) 226-6378 | |
#::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::|