[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Granting rights based on relationships



At 04:14 PM 6/7/00 -0400, Mark Valence wrote:
>Yup.  An arbitrary number of "links" though, and not just starting 
>from the current object.

"arbitrary" scares me... and "not just" should be well defined.
I can see relationships between the target (to entry) and the
subject (by entry) going in either direction, not sure were
else you'd start the processing.  We'd, of course, have to
deal with loop detection, dead lock avoidance, etc.  And they
would be expensive.

As far as arbitrary number of links goes (though it scares me),
we likely should expand group membership recursively as well
(per X.500).  And then we should provide a separate "role"
which doesn't recurse.

Similiarily for dnattr, we likely should have two forms.  One
which has a fixed depth (defined by number of attributes provided)
and one which allows recursion.

	dnattr=manager	(direct manager)
	dnattr=*manager	(my manager and his manager and her manager)
	dnattr=2*manager	(up to two levels)

	dnattr=manager/secretary	(my manager's secretary)
	dnattr=*manager/secretary	(secretaries of my management chain)

	dnattr=siblings/2*children	children of my siblings and their children,
		but not their grandchildren

>Is this of any interest?  I can give you a full syntax if you want.

Well, for me, only to a limited degree.  But I could see how
others might find it useful.