[Date Prev][Date Next]
RE: Granting rights based on relationships
This is pretty much what I was trying to accomplish with my "atattr" ACL
accessor, but it sounds like you have something even more general in mind.
I'd definitely like to see what you're planning, because I still intend to
commit atattr support into the tree. If you've got something better, I'll
use that instead.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Mark Valence
> Sent: Wednesday, June 07, 2000 12:41 PM
> To: openldap-devel@OpenLDAP.org
> Subject: Granting rights based on relationships
> While we're talking about ACLs and ACIs, here's what I'd like to be
> able to do. I'd like to grant rights based on (dynamic)
> relationships between the subject and the object. Like grant access
> to my boss's secretary, or to all my brother's children. My boss
> might change, or his secretary might change, so I don't want to
> hard-code a DN. Likewise, my brother might have a new kid, I don't
> want to have to update my list (or use a group) when his object
> contains this info.
> The examples are contrived, but the point is that I'd like to use the
> info that's already in object attributes instead of defining formal
> groups for every possible grouping of objects, and without adding a
> "role" object for every possible position in a company.
> I've got working code (and a simple syntax) to do this, if anyone
> else is interested.