[Date Prev][Date Next]
Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
Kurt D. Zeilenga wrote:
In fact, in my patch "write" is a level, and "add" and "delete" are
qualifiers of that level. So, both "add" and "delete" qualify for the
"write" level, but apply to separate types of "write". When one
specifies "write", it means that one is requesting all levels up to
"write", as usual, while "a" and "z" can only be specified as
privileges, i.e. in the "+a" form.
I not sure it makes sense to regard "add" and "delete" as
separate levels from "write", nor can I (if the levels
are added) how to order "add" and "delete"... seems there
are reasonable arguments that add>delete and delete>add
Maybe we just need to split the "w"rite permission into "a"
(add) and "z" (delete), where =w is equivalent to =az,
but not add levels for add and delete?
BTW, is this mainly aimed at entry add/delete controls?It applies to both. The patch also addresses the modify operation: add
is required for additions, delete for deletions and both for replacements.
or attribute add/delete controls?
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497