[Date Prev][Date Next]
Granting rights based on relationships
While we're talking about ACLs and ACIs, here's what I'd like to be
able to do. I'd like to grant rights based on (dynamic)
relationships between the subject and the object. Like grant access
to my boss's secretary, or to all my brother's children. My boss
might change, or his secretary might change, so I don't want to
hard-code a DN. Likewise, my brother might have a new kid, I don't
want to have to update my list (or use a group) when his object
contains this info.
The examples are contrived, but the point is that I'd like to use the
info that's already in object attributes instead of defining formal
groups for every possible grouping of objects, and without adding a
"role" object for every possible position in a company.
I've got working code (and a simple syntax) to do this, if anyone
else is interested.