[Date Prev][Date Next] [Chronological] [Thread] [Top]

subjects in LDAP ACMs

To: ietf-ldapext@netscape.com
Subject: subjects in LDAP ACMs
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 11 Apr 2001 19:15:07 -0700

I note that the LDAP ACI syntax only allows a single
subject per value though it is likely quite desirable
to treat certain kinds of subjects as orthogonal factors
in the ACM.  For example, it might be useful to say
"authzId X via Y method gets Z permission".

However, adding additional, independent factors to
the ACM adds to the complexity of specification so
we must tread lightly.

My first suggestion would be remove subjects based
upon orthogonal factors from the ACM, then to discuss
support for orthogonal factors such as authnLevel.

I suggest Subjects be based solely upon presence, absence,
or value of the authorization identity.  Hence, I suggest
(provided in suggested precedence order):

  subject = this          ; self
  subject /= "authzID-" authzID)
  subject /= ("role:" dn)
  subject /= ("group:" dn)
  subject /= ("subtree:" dn)
  subject /= authorized   ; authenticated and authorized
  subject /= anonymous    ; unauthenticated
  subject /= public       ; any user

Kurt

Follow-Ups:
- Re: subjects in LDAP ACMs
  - From: robert byrne <robert.byrne@Sun.COM>

Prev by Date: RE: IP Address in the ACM (Was: Comments on Access Control Model - BNF)
Next by Date: Encoding for server side sorting and virtual list view
Index(es):
- Chronological
- Thread