[Date Prev][Date Next]
Re: (ITS#3625) [enhancement] per-operation ACLs
At 12:52 PM 4/1/2005, email@example.com wrote:
>Kurt D. Zeilenga wrote:
>>What about modify operations which add entries, or
>>add operations that modify existing entries, or
>>delete operations that do searches, or searches
>>that do deletes?
>>Is it the LDAP op code that matters here? or the
>>underlying DIT operation? I think the latter.
>Are you thinking about internal operations, as those performed by
>syncrepl or things like that?
I'm thinking about operations extended by controls,
overlay/SLAPI games, etc..
>I understand your point, and in fact I'd
>try to use the op code related to the operation requested by the client
>(which is not what the code is doing right now) instead of that of the
>current operation. However, it is my understanding that whenever an
>operation is doing something radically different (e.g., a search deletes
>an entry) it is likely to be performed with some administrative
>privileges (e.g. rootdn or so).
>>Maybe it would make more sense to divide "w"
>>into different kinds of writes?
>> permission = "a" / ; add
>> "d" / ; delete
>> "e" / ; export
>> "i" / ; import
>> "n" / ; renameDN
>> "b" / ; browseDN
>> "t" / ; returnDN
>> "r" / ; read
>> "s" / ; search
>> "w" / ; write (mod-add)
>> "o" / ; obliterate (mod-del)
>> "c" / ; compare
>> "m" / ; make
> SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497