[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Comments on Access Control Model draft - grant/deny evaluation rules

To: rvh@qsun.mt.att.com
Subject: Re: Comments on Access Control Model draft - grant/deny evaluation rules
From: Bruce Greenblatt <bgreenblatt@directory-applications.com>
Date: Wed, 04 Apr 2001 13:57:24 -0700
Cc: ietf-ldapext@netscape.com
In-reply-to: <200104041955.PAA00232@qsun.mt.att.com>

:
: Maybe David or someone from the X.500 crowd could comment on
: why X.500 does not recursively evaluate groups and roles their
: ACM.

I'd like to hear it.  There are cases that come up frequently in my
life (e.g. tiered support organizations) where nested groups are really
important and useful as a way to control administrative overhead and
reduce the chances of making security mistakes.

I strongly agree. Nested groups are very useful. If an LDAP server supports the Access Control Model, and it supports nesting of groups, then it certainly ought to support nesting of groups when evaluating access controls. This is one of the strong points of using LDAP to store access control information.

: X.500(93):
:    nested groups are not supported when evaluating access controls.
:


==============================================
Bruce Greenblatt, Ph. D.
Directory Tools and Application Services, Inc.
http://www.directory-applications.com

Follow-Ups:
- Re: Comments on Access Control Model draft - grant/denyevaluation rules
  - From: robert byrne <robert.byrne@Sun.COM>

References:
- Re: Comments on Access Control Model draft - grant/deny evaluation rules
  - From: rvh@qsun.mt.att.com (Richard V Huber)

Prev by Date: Re: java api bind() methods
Next by Date: Re: java api bind() methods
Index(es):
- Chronological
- Thread