Re: application defined permission

[Bruce Greenblatt <bgreenblatt@directory-applications.com>]

At 03:54 PM 3/9/2001 -0500, you wrote:

> Bruce,
>
> I feel that it is not a good idea to attempt to add in application-defined 
> permissions into the LDAP ACI document.

OK.  How about this.  Put in some verbiage to let people know about 
application defined permissions, and extended operation permissions, and 
how they are outside the scope of this model, and are the subject of future 
work.  I would suggest a slight modification of stuff from your note:


"A well-defined application permission model is a useful capability and we 
SHOULD define such a set of schema and characteristics.  However, this 
model is out of scope for this document, as it is only concerned with 
applying access controls to existing LDAP operations.

Extended operations may NOT necessarily contain a "base DN" of any 
kind.  An extended operation may or may not pertain to any particular 
sub-tree of information. Thus, trying to "fudge in" extended operations 
permissions into the current LDAP ACI model doesn't seem appropriate 
either.  This applying permissions to extended operations is also out of 
scope for this document.

Both application defined permissions and extended operation permissions may 
be the subject of future IETF activity."

I will write up a draft on application defined permissions as a separate 
document after the meeting.  Please let me know any discussions that take 
place about application defined permissions at the meeting.  Thanks to 
everyone for taking the time to think about this issue!  I will be thinking 
warm thoughts for you while everyone is in Minnesota!

Bruce



==============================================
Bruce Greenblatt, Ph. D.
Directory Tools and Application Services, Inc.
http://www.directory-applications.com