[Date Prev][Date Next] [Chronological] [Thread] [Top]

Allowing users to add, but not delete, entries?


Summary: is it possible to configure access control such that users to can add, but not delete, entries?


My planned schema has a branch:


The entries below this are like this:

member=<user dn 1>
member=<user dn 2>
member=<user dn 3>

I have worked out how to make it so users can only add and remove themselves from a tag:

access to dn.children="ou=tags,dc=example,dc=com" attrs=member,entry
  # Allow people to add and remove themselves from any other tag
  by dnattr=member selfwrite
  # Allow anyone to read
  by anonymous read

So far so good, but I would like authenticated users to be able to add new entries (tags), and add themselves as members to them, but _not_ to be able to delete tags.

Even better, the tag would be deletable, or even automatically removed, but only if the user removed their own name and there were no more members - i.e. it was empty. (I believe the member attribute is mandatory in groupOfNames, and I don't want it to be impossible for someone to remove their name because they are the only member!)

This is difficult, because as far as I can see the "write" permission does not distinguish between adding and deleting.

Can someone tell me if this is possible?