[Date Prev][Date Next]
Re: Global ACLs - Impacts access control and SLAPI (ITS#3100)
At 06:12 AM 4/20/2004, firstname.lastname@example.org wrote:
>> I don't think it is broke, but intended behavior:
>> If their are global acls, they apply to all databases
>> after any db acls. If the db has no acls, global acls
>> are used.
>> If the target is not within any database, acls of
>> first database (then global acls) apply.
>> It's been this way for many years (long before SLAPI).
>I'll revert in a moment. My concern was that
>when addressing rootDSE or cn=subschema, I had
>to run thru the first database rules, which is
>counterintuitive; wouldn't it be better to
>address this specifical case by short-circuiting
Then they wouldn't be global acls. They'd be
acls which applied to objects outside of all
databases. While it might make sense to have
a set of ACLs which applied to this set of
objects, it is different set concept than
(Note that global ACLs were invented before there
was a root DSE or cn=subschema.)