[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: application defined permission
At 08:50 AM 3/9/2001 -0800, Kurt D. Zeilenga wrote:
I concur. The ACL model should be simple. This would add
unnecessary complexity to the specification and implementations.
I don't really see how the proposal that I made is that complex. You are
just adding an extra possibility that doesn't restrict the operations of
the directory in any way. If the LDAP server chooses to implement the
application defined permissions (which it doesn't have to), then in
calculating the effective rights the application defined permissions should
be taken into account. This seems pretty simple to me. I was never trying
to say that all LDAP servers had to implement this. If you don't want to
implement application defined permissions, don't do it. It's just one
other option for implementors.
I think that limiting the list of permissions to those specifically defined
in the acl model document is opening the door for the possibility of
problems down the road. By building in extensibility, you are making sure
that the protocol and model won't be broken down the road.
We also use "psuedo" attributes (which don't actually exist)
to govern access to information not held in any attributes.
Are you proposing this as a mechanism to implement application defined
permissions? I don't understand this. You give a user the ability to
write to an attribute that doesn't exist, so that when the user tries to
write a value into the attribute, the operation fails? Can you give more
details?
Thanks... Bruce
==============================================
Bruce Greenblatt, Ph. D.
Directory Tools and Application Services, Inc.
http://www.directory-applications.com