Re: application defined permissions

[Bruce Greenblatt <bgreenblatt@directory-applications.com>]

At 11:17 AM 2/20/2001 -0800, Kurt D. Zeilenga wrote:

> Because a directory implementation may not implement the operational
> usage but your application should still be able to store the user
> value.  A server which does not support the operational usage should
> not publish the ldapACI attribute in its subschema.

I think that the application defined permissions are only useful in an LDAP 
server that already implements the rest of the ACL model.  It is important 
that the effective rights computation for application defined permissions 
take place in the same manner as the LDAP defined permissions.  If the LDAP 
server is not implementing the operational usage and effective rights 
computation, it is unlikely to be able to implement the computation for 
application defined permissions.  I don't ever see an implementation 
supporting only application defined permissions.  If all an application 
needs is a place to store permissions, it can easily use the member 
attribute, or something analogous.  IMHO, the important thing is the 
ability of the LDAP server to compute effective rights.  So, I'd like to 
see the application defined permissions bundled into the same attribute as 
the other permissions.  However, if the consensus of the WG is to create 
two separate operational attributes, and have the exact same effective 
rights operations and controls applying to each attribute, we could 
probably do it that way.

Bruce