To: Timothy Hahn/Endicott/IBM@IBMUS, ietf-ldapext@netscape.com
cc:
Subject: Re: application defined permission
At 03:54 PM 3/9/2001 -0500, you wrote:
>Bruce,
>
>I feel that it is not a good idea to attempt to add in application-defined
>permissions into the LDAP ACI document.
OK. How about this. Put in some verbiage to let people know about
application defined permissions, and extended operation permissions, and
how they are outside the scope of this model, and are the subject of future
work. I would suggest a slight modification of stuff from your note:
"A well-defined application permission model is a useful capability and we
SHOULD define such a set of schema and characteristics. However, this
model is out of scope for this document, as it is only concerned with
applying access controls to existing LDAP operations.
Extended operations may NOT necessarily contain a "base DN" of any
kind. An extended operation may or may not pertain to any particular
sub-tree of information. Thus, trying to "fudge in" extended operations
permissions into the current LDAP ACI model doesn't seem appropriate
either. This applying permissions to extended operations is also out of
scope for this document.
Both application defined permissions and extended operation permissions may
be the subject of future IETF activity."
I will write up a draft on application defined permissions as a separate
document after the meeting. Please let me know any discussions that take
place about application defined permissions at the meeting. Thanks to
everyone for taking the time to think about this issue! I will be thinking
warm thoughts for you while everyone is in Minnesota!
Bruce
==============================================
Bruce Greenblatt, Ph. D.
Directory Tools and Application Services, Inc.
http://www.directory-applications.com