[Date Prev][Date Next] [Chronological] [Thread] [Top]

Granting rights based on relationships

While we're talking about ACLs and ACIs, here's what I'd like to be able to do. I'd like to grant rights based on (dynamic) relationships between the subject and the object. Like grant access to my boss's secretary, or to all my brother's children. My boss might change, or his secretary might change, so I don't want to hard-code a DN. Likewise, my brother might have a new kid, I don't want to have to update my list (or use a group) when his object contains this info.

The examples are contrived, but the point is that I'd like to use the info that's already in object attributes instead of defining formal groups for every possible grouping of objects, and without adding a "role" object for every possible position in a company.

I've got working code (and a simple syntax) to do this, if anyone else is interested.