[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Granting rights based on relationships

 >While we're talking about ACLs and ACIs, here's what I'd like to be
 >able to do.  I'd like to grant rights based on (dynamic)
 >relationships between the subject and the object.  Like grant access
 >to my boss's secretary, or to all my brother's children.  My boss
 >might change, or his secretary might change, so I don't want to
 >hard-code a DN.  Likewise, my brother might have a new kid, I don't
 >want to have to update my list (or use a group) when his object
 >contains this info.

Something like:

access to dn="cn=me..." attrs=entry,title
 by dnattr=manager/secretary write
 by dnattr=brother/children read

Yup. An arbitrary number of "links" though, and not just starting from the current object. For example, to do brother's children, person objects might just have "sibling" and "parent" attributes. In this case, I'd need to grant access if the currently connected user's father was the object's (my) brother. Obviously there are multi-value attribute issues here, but they are easy enough to manage.

Is this of any interest?  I can give you a full syntax if you want.