[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#3625) [enhancement] per-operation ACLs

To: openldap-its@OpenLDAP.org
Subject: (ITS#3625) [enhancement] per-operation ACLs
From: ando@sys-net.it
Date: Fri, 1 Apr 2005 17:15:47 GMT

Full_Name: Pierangelo Masarati
Version: HEAD
OS: irrelevant
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (131.175.154.56)
Submitted by: ando


Every now and then people look for a means to allow adding an entry rather than
deleting it or modifying it and so on.  I think this could be easily obtained
with a quite limited effort by adding an operation mask to the <what> clause,
something like

access to * op=add,delete
    by ...

so that only operations within the mask do match the <what>.  The mask could
also be negated, like 

access to * op!=modify
    by ...

and we could use groups like "read,write,auth".  This should be tested before
anything else, since it's basically a bitwise AND, so it could save a lot of
effort by working out all the ACLs that are not intended for a specific
operation.  I think this goes in the direction of something that Hallvard asked
shotly ago.

I'll prepare a prototype in a moment.

p.

Prev by Date: (ITS#3624) [enhancement] slapacl may easily test access to a whole object
Next by Date: Re: (ITS#3625) [enhancement] per-operation ACLs
Index(es):
- Chronological
- Thread