[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ACM permission



Mark,

I think you will need at least a Filter Matching permission for attributes
as well.  A classical way to break security in a directory is to search for
entries with userPassword=*joan* (or whatever...).

Should there be a permission for Compare operations as well?  Denying
compare on operational information could be used to keep curious users from
poking at the ACIs themselves.

Cheers,                    ....Erik.

Erik Skovgaard
Siemens Meta-Directory Solutions
Phone: +1 604-204-0750
Fax:   +1 604-204-0760

-----Original Message-----
From: Mark Davidson [mailto:markd@pwd.hp.com]
Sent: Friday, July 06, 2001 05:44
To: ietf-ldapext@netscape.com
Subject: ACM permission


I have been thinking about simplifying the permissions 
in the ACM and also adding permissions for controls. How
about:

permissions for attributes: read, modify, create, delete
permissions for entries: read, modify, create, delete

and add control OID ass a possible target with a permission
of use

so:

    ACI = rights "#" target "#" generalSubject

    permission = "r" / ; read
                 "m" / ; modify
                 "c" / ; create
                 "d" / ; delete
                 "u"   ; use
    ; permission u can only be used on controls

    target = "[all]" / "[entry]" / (attribute *("," attribute)) /
         "[controls]" / (controlType *("," controlType))

    controlType is defined in RFC2251


Granting these permissions allows:

Entry read - allows access to DN
Entry modify - can change DN
Entry create - can create an entry below this entry
Entry delete - can delete this entry

Attribute read - can read attribute 
Attribute modify - can modify replace attribute values
Attribute delete - can modify delete attribute values
Attribute create - can modify add attribute values

Control use - can use control where aci is active (this
              replaces the g permission in a more
              general way)


This does not give quite the same detailed level of
control as the current scheme, but is much easier
to understand from an administration point of view,
rather that a protocol point of view.

Mark

Attachment: Skovgaard, Erik.vcf
Description: Binary data