[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs based on attributes?



Jaap Winius <jwinius@umrk.nl> writes:

> Quoting Dieter Kluenter <dieter@dkluenter.de>:

[...]
>
> This works for a user with attr title=telephonemanager. However, to
> demonstrate the flexibility of this set rule...
>
>    access to attrs=telephoneNumber
>         by set="user/description & [telephonemanager]" write
>         by users read
>
> ... this works for a user with attr description=telephonemanager!
>
> This is cool regardless, but I think my NIU-friend would say that it's
> cool because this set rule allows you to give users telephonemanager
> privileges without the need to maintain a telephonemanager group.
>
> Actually, I think this solution can be improved upon significantly.
> For example, what if our privileged user had this attribute:
>
>    description: titlemanager telephonemanager addressmanager

This is a single value, you actually want a multi valued attribute type.

> Can a a set rule be devised to match not only users with a description
> value that equals "telephonemanager", but also one that includes it in
> a longer string? We would need something like:
>
>    access to attrs=telephoneNumber
>         by set="user/description & [*telephonemanager*]" write
>         by users read
>
> Only, that doesn't work.
>
> Is this possible?

Did you define an index for description? But still I don't think this
could work, although I have never tested this.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°37'09,95"N
10°08'02,42"E