[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: generalized permission for controls

To: robert byrne <robert.byrne@Sun.COM>
Subject: Re: generalized permission for controls
From: Bruce Greenblatt <bgreenblatt@directory-applications.com>
Date: Thu, 26 Jul 2001 09:33:05 -0700
Cc: Ellen Stokes <stokes@austin.ibm.com>, ietf-ldapext@netscape.com
In-reply-to: <3B602F7F.D29CBCFD@Sun.COM>
References: <5.1.0.14.0.20010724215857.00aa36c8@mail.dtasi.com>

Even so, the mechanism used to define the permission is (essentially) the same as for ADP. I also note that the control will be embedded in an existing operation, which possibly has other controls. The interaction between the ACI for the operation, the ACI for this control and the ACI for all of the other controls is not defined by this. I believe the interaction to be potentially very complex, and best left for a separate document.

Bruce

At 04:55 PM 7/26/01 +0200, robert byrne wrote:

Bruce,
I think there are some important differences between this controlType
idea and Application Defined Permissions:
1. ADPs are informational only, the controlType would affect directory
operations that had controls attached.
2. ADPs are motivated by considerations (however worthy) from outside of
LDAP.  The controlType is trying to address an extensibility that is
built into LDAP, namely the ability to define controls that modify
operation semantics.
Rob.
Bruce Greenblatt wrote: > > I would like to see this kept out of the main draft, and moved forward as a > separate item. I think that the rationale that is applied here should be > similar to what was applied in my "application defined permissions" > draft. In actuality, I think that this is really pretty much the same as > the mechanism that I defined in the draft: > http://search.ietf.org/internet-drafts/draft-greenblatt-ldap-perms-00.txt > > Bruce > > At 03:08 PM 7/24/01 -0500, Ellen Stokes wrote: > >Folks, > > > >Mark Davidson proposed a generalized permission for > >controls in his note dated July 6 on ACM permissions. > >----------------------------------------------------------------------- ------- > >ACI = rights "#" target "#" generalSubject > > > >permission = "x" ; execute control > >; permission u can only be used on controls > > > >target = "[all]" / "[entry]" / (attribute *("," attribute)) / > >"[controls]" / (controlType *("," controlType)) > > > >controlType is defined in RFC2251 > > > >Control use - can use control where aci is active (this > >replaces the g permission in a more general way) > >----------------------------------------------------------------------- -------- > > > >The authors like this idea and are working on text to > >incorporated this into the draft and move the > >getEffectiveRights control (and permission) in line with > >this proposal. > > > >We'll be putting a synopsis of this out shortly to the list. > > > >In the interim, any comments? > > > >Ellen > > ============================================== > Bruce Greenblatt, Ph. D. > Directory Tools and Application Services, Inc. > http://www.directory-applications.com


==============================================
Bruce Greenblatt, Ph. D.
Directory Tools and Application Services, Inc.
http://www.directory-applications.com

Follow-Ups:
- Re: generalized permission for controls
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Re: generalized permission for controls
  - From: Bruce Greenblatt <bgreenblatt@directory-applications.com>
- Re: generalized permission for controls
  - From: robert byrne <robert.byrne@Sun.COM>

Prev by Date: Re: generalized permission for controls
Next by Date: Do you know there secrets? -hqxpljlnyys
Index(es):
- Chronological
- Thread