[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Granting rights based on relationships



> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Mark Valence

> >  >While we're talking about ACLs and ACIs, here's what I'd like to be
> >  >able to do.  I'd like to grant rights based on (dynamic)
> >  >relationships between the subject and the object.  Like grant access
> >  >to my boss's secretary, or to all my brother's children.  My boss
> >  >might change, or his secretary might change, so I don't want to
> >  >hard-code a DN.  Likewise, my brother might have a new kid, I don't
> >  >want to have to update my list (or use a group) when his object
> >  >contains this info.
> >
> >Something like:
> >
> >access to dn="cn=me..." attrs=entry,title
> >  by dnattr=manager/secretary write
> >  by dnattr=brother/children read
> >
>
> Yup.  An arbitrary number of "links" though, and not just starting
> from the current object.  For example, to do brother's children,
> person objects might just have "sibling" and "parent" attributes.  In
> this case, I'd need to grant access if the currently connected user's
> father was the object's (my) brother.  Obviously there are
> multi-value attribute issues here, but they are easy enough to manage.
>
> Is this of any interest?  I can give you a full syntax if you want.
>
> Mark.
>
This sounds pretty complicated to evaluate. It also sounds like we need to
cache a copy of the currently bound user's entry with the connection, as I
suggested before for atattr support. I'll look into committing that change
soon. It also seems to me, that the suggestion of caching already-evaluated
ACLs makes sense to do here. The list of evaluated ACLs probably should go
on the connection handle itself, but I was first thinking of adding it to
the cached user entry. Sticking them directly on the connection might be
easier, otherwise we have to implement that virtual entry concept to take
advantage of this trick for bind DNs that don't have corresponding entries
in the slapd database.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc