[Date Prev][Date Next]
Re: Allowing users to add, but not delete, entries?
Gervase Markham wrote:
Summary: is it possible to configure access control such that users to
can add, but not delete, entries?
Yes, see "add" level (cfr.. "a" permission) in slapd.access(5).
My planned schema has a branch:
The entries below this are like this:
member=<user dn 1>
member=<user dn 2>
member=<user dn 3>
I have worked out how to make it so users can only add and remove
themselves from a tag:
access to dn.children="ou=tags,dc=example,dc=com" attrs=member,entry
# Allow people to add and remove themselves from any other tag
by dnattr=member selfwrite
# Allow anyone to read
by anonymous read
So far so good, but I would like authenticated users to be able to add
new entries (tags), and add themselves as members to them, but _not_ to
be able to delete tags.
Even better, the tag would be deletable, or even automatically removed,
but only if the user removed their own name and there were no more
members - i.e. it was empty. (I believe the member attribute is
mandatory in groupOfNames, and I don't want it to be impossible for
someone to remove their name because they are the only member!)
This is difficult, because as far as I can see the "write" permission
does not distinguish between adding and deleting.
Can someone tell me if this is possible?