Re: Comments on Access Control Model draft - grant/denyevaluation rules

[robert byrne <robert.byrne@Sun.COM>]

I also believe the ability to evaluate nested groups is something that
directory users would expect to be able to do and would eventually
request--and so is important for the ACM.

On the implementation side I think caching group membership is a
workable solution that would give acceptable performances.

Rob.

Bruce Greenblatt wrote:
> 
> >:
> >: Maybe David or someone from the X.500 crowd could comment on
> >: why X.500 does not recursively evaluate groups and roles their
> >: ACM.
> >
> >I'd like to hear it.  There are cases that come up frequently in my
> >life (e.g. tiered support organizations) where nested groups are really
> >important and useful as a way to control administrative overhead and
> >reduce the chances of making security mistakes.
> 
> I strongly agree.  Nested groups are very useful.  If an LDAP server
> supports the Access Control Model, and it supports nesting of groups, then
> it certainly ought to support nesting of groups when evaluating access
> controls.  This is one of the strong points of using LDAP to store access
> control information.
> 
> >: X.500(93):
> >:    nested groups are not supported when evaluating access controls.
> >:
> 
> ==============================================
> Bruce Greenblatt, Ph. D.
> Directory Tools and Application Services, Inc.
> http://www.directory-applications.com