[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: application defined permission
Bruce,
My own feeling is still that it would be better to leave application
stuff out of the core model. I would love to hear some more more
opinions on this.
In terms of your proposal...I like the tagged oid approach. I think it
would be better if you did not mention the xep stuff at all--let's leave
that for the next guy who will struggle with the extended operational
permissions....if that ever happens.
Point taken on the overloading effects of the interpretation approach.
Though by just using searchish permissions (read, search,
browseDN,returnDN), the effect of this could be minimised ie. at least
the users could not change anything.
Rob.
Bruce Greenblatt wrote:
>
> After discussions on the list, and private discussions with Rob Byrne, here
> is a slightly modified proposal. There was some discussion of using a
> separate attribute type name to hold application defined permissions. I
> didn't put that in the modified proposal, but I'm OK with doing that, even
> though it doesn't seem to make much difference. I also got several
> questions about why couldn't you just map application defined permissions
> into the existing permissions defined in the ACL model. Just because you
> are giving a user the right to do something in an application does not
> necessarily mean that you want to give that user any rights to read or
> modify the entry in the directory that represents that application.
>
> Bruce
>
> ==============================================
> Bruce Greenblatt, Ph. D.
> Directory Tools and Application Services, Inc.
> http://www.directory-applications.com
>
> ------------------------------------------------------------------------
>
> application-defined-aci.txtName: application-defined-aci.txt
> Type: Plain Text (text/plain)