[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: application defined permission

To: Bruce Greenblatt <bgreenblatt@directory-applications.com>
Subject: Re: application defined permission
From: "Timothy Hahn" <hahnt@us.ibm.com>
Date: Fri, 9 Mar 2001 15:54:37 -0500
Cc: ietf-ldapext@netscape.com
Importance: Normal

Bruce,

I feel that it is not a good idea to attempt to add in application-defined permissions into the LDAP ACI document.

I agree that a well-defined application permission model is a useful capability and we SHOULD define such a set of schema and characteristics. I just don't think the current LDAP ACI draft is the place to add it.

Regarding permissions for extended operations, I feel that in some cases, as Kurt has pointed out, that the existing LDAP ACI permissions can and should be used in determining whether the extended operation will be allowed or not. I believe that there are other cases where this may not be true. Further, since extended operations do NOT contain a "base DN" of any kind, an extended operation may or may not pertain to any particular sub-tree of information. Thus, trying to "fudge in" extended operations permissions into the current LDAP ACI model doesn't seem appropriate either.

I think that these topics should be taken up in new internet drafts and then refined to RFC status.

Regards,
Tim Hahn

Internet: hahnt@us.ibm.com
Internal: Timothy Hahn/Endicott/IBM@IBMUS or IBMUSM00(HAHNT)
phone: 607.752.6388 tie-line: 8/852.6388
fax: 607.752.3681

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>, Rob Byrne <Robert.Byrne@Sun.COM>
cc: ietf-ldapext@netscape.com
Subject: Re: application defined permission

At 08:50 AM 3/9/2001 -0800, Kurt D. Zeilenga wrote:
>I concur. The ACL model should be simple. This would add >unnecessary complexity to the specification and implementations.
I don't really see how the proposal that I made is that complex. You are just adding an extra possibility that doesn't restrict the operations of the directory in any way. If the LDAP server chooses to implement the application defined permissions (which it doesn't have to), then in calculating the effective rights the application defined permissions should be taken into account. This seems pretty simple to me. I was never trying to say that all LDAP servers had to implement this. If you don't want to implement application defined permissions, don't do it. It's just one other option for implementors.
I think that limiting the list of permissions to those specifically defined in the acl model document is opening the door for the possibility of problems down the road. By building in extensibility, you are making sure that the protocol and model won't be broken down the road.

>We also use "psuedo" attributes (which don't actually exist) >to govern access to information not held in any attributes. >
Are you proposing this as a mechanism to implement application defined permissions? I don't understand this. You give a user the ability to write to an attribute that doesn't exist, so that when the user tries to write a value into the attribute, the operation fails? Can you give more details?
Thanks... Bruce

============================================== Bruce Greenblatt, Ph. D. Directory Tools and Application Services, Inc. http://www.directory-applications.com

Follow-Ups:
- Re: application defined permission
  - From: Bruce Greenblatt <bgreenblatt@directory-applications.com>

Prev by Date: ACL all entry attribute keyword
Next by Date: Re: application defined permission
Index(es):
- Chronological
- Thread