[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)

In your patch, it appears that modify/replace only requires
add.  However, as modify/replace deletes existing values,
it should require delete as well.


At 12:12 PM 4/4/2005, Pierangelo Masarati wrote:
>> What I was trying to ask is, what's driving this?  The
>> desire to control entry add/deletes or the desire to
>> control attribute add/deletes.  "Both" is a reasonable
>> answer.
>My personal driver was the capability to separate the permission to add
>entries from that to delete them; so that separate identities may be
>needed for entry addition and entry deletion.  As a side effect, the very
>same approach allows to separate the capability to add and delete
>attribute values.  This is what the implementation in my patch does.  I
>think the capability to separate attribute value addition and deletion may
>add some value to slapd's capability.  It is my intention, if this appears
>to work fine, to extend the capability to other backend types and to other
>access checking approaches (i.e. ACIs).
>Pierangelo Masarati
>    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497