[Date Prev][Date Next]
Re: Granting rights based on relationships
>While we're talking about ACLs and ACIs, here's what I'd like to be
>able to do. I'd like to grant rights based on (dynamic)
>relationships between the subject and the object. Like grant access
>to my boss's secretary, or to all my brother's children. My boss
>might change, or his secretary might change, so I don't want to
>hard-code a DN. Likewise, my brother might have a new kid, I don't
>want to have to update my list (or use a group) when his object
>contains this info.
access to dn="cn=me..." attrs=entry,title
by dnattr=manager/secretary write
by dnattr=brother/children read
Yup. An arbitrary number of "links" though, and not just starting
from the current object. For example, to do brother's children,
person objects might just have "sibling" and "parent" attributes. In
this case, I'd need to grant access if the currently connected user's
father was the object's (my) brother. Obviously there are
multi-value attribute issues here, but they are easy enough to manage.
Is this of any interest? I can give you a full syntax if you want.