[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Granting rights based on relationships



This is pretty much what I was trying to accomplish with my "atattr" ACL
accessor, but it sounds like you have something even more general in mind.
I'd definitely like to see what you're planning, because I still intend to
commit atattr support into the tree. If you've got something better, I'll
use that instead.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc

> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Mark Valence
> Sent: Wednesday, June 07, 2000 12:41 PM
> To: openldap-devel@OpenLDAP.org
> Subject: Granting rights based on relationships
>
>
>
> While we're talking about ACLs and ACIs, here's what I'd like to be
> able to do.  I'd like to grant rights based on (dynamic)
> relationships between the subject and the object.  Like grant access
> to my boss's secretary, or to all my brother's children.  My boss
> might change, or his secretary might change, so I don't want to
> hard-code a DN.  Likewise, my brother might have a new kid, I don't
> want to have to update my list (or use a group) when his object
> contains this info.
>
> The examples are contrived, but the point is that I'd like to use the
> info that's already in object attributes instead of defining formal
> groups for every possible grouping of objects, and without adding a
> "role" object for every possible position in a company.
>
> I've got working code (and a simple syntax) to do this, if anyone
> else is interested.
>
> Mark.
>