[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)

Kurt D. Zeilenga wrote:

I not sure it makes sense to regard "add" and "delete" as
separate levels from "write", nor can I (if the levels
are added) how to order "add" and "delete"... seems there
are reasonable arguments that add>delete and delete>add
or add<>delete.

Maybe we just need to split the "w"rite permission into "a"
(add) and "z" (delete), where =w is equivalent to =az,
but not add levels for add and delete?

In fact, in my patch "write" is a level, and "add" and "delete" are qualifiers of that level. So, both "add" and "delete" qualify for the "write" level, but apply to separate types of "write". When one specifies "write", it means that one is requesting all levels up to "write", as usual, while "a" and "z" can only be specified as privileges, i.e. in the "+a" form.

BTW, is this mainly aimed at entry add/delete controls?
or attribute add/delete controls?

It applies to both. The patch also addresses the modify operation: add is required for additions, delete for deletions and both for replacements.


SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497