[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)

> What I was trying to ask is, what's driving this?  The
> desire to control entry add/deletes or the desire to
> control attribute add/deletes.  "Both" is a reasonable
> answer.

My personal driver was the capability to separate the permission to add
entries from that to delete them; so that separate identities may be
needed for entry addition and entry deletion.  As a side effect, the very
same approach allows to separate the capability to add and delete
attribute values.  This is what the implementation in my patch does.  I
think the capability to separate attribute value addition and deletion may
add some value to slapd's capability.  It is my intention, if this appears
to work fine, to extend the capability to other backend types and to other
access checking approaches (i.e. ACIs).


Pierangelo Masarati

    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497