Re: expansion of groups/roles/subtree subjects in LDAP ACM

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 07:25 AM 7/9/2001, robert byrne wrote:

>Kurt,
>
>I think what's needed here is for the draft to specify that, if the
>evaluation of any part of the subject fails, then the subject part of
>that aci does not apply.  So we can change the intro to 4.3.2.4 to
>something like:
>
>"4.3.2.4  Applicability Rules for Subjects
>
>Call the subject portion of the ACI in question aciSubject.  Then to
>determine if aciSubject applies to requestorSubject we apply the
>following rules.  In the case where the server fails to evaluate a
>rule and so fails to fully confirm that aciSubject applies, then
>aciSubject does not apply."

I believe that rules for expansion of subjects should be
consistent with X.501(93), 16.4.2.5 "Determining group membership".
In particular,
  a) A DSA is not required to perform a remote operation to determine whether the
  requestor belongs to a particular group for the purposes of Basic Access Control.
  If membership in the group cannot be evaluated, the DSA shall assume that the
  requestor does not belong to the group if the ACI item grants the permission sought,
  and does belong to the group if it denies the permission sought.

 NOTE 1 ? Access control administrators must beware of basing access controls on membership
 of non-locally available groups or groups which are available only through replication (and which
 may, therefore, be out of date).
 NOTE 2 ? For performance reasons it is usually impractical to retrieve group membership from
 remote DSAs as part of the evaluation of access controls. However, in certain circumstances it
 may be practical, and a DSA is permitted, for example, to perform remote operations to obtain
 or refresh a local copy of a group entry or use the Compare operation to check membership
 prior to applying this clause.

I believe (b) makes sense as well, but that's another thread.