[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: olcAccess best practices



On Wed, Jul 31, 2013 at 06:11:02PM +0000, Jancewicz, Russell wrote:

> Should I create a single entry per account I want to give access, granting all attributes they would need read/write access to with a particular filter?

No - you will end up having to change the ACLs every time you add a user.

> Or would I be better off grouping access granting to members of the groups and adding individual rules for special edge cases?

Much better, but try to avoid those edge cases too!

> Or are both these ideas off base and something else would be preferred?
> 
> Currently I am granting access by groups with access to collections of attributes, however as I am discovering that some accounts need access to those attributes with different filters my rules are continually shifting and  growing.

Try to cut the complexity of ACLs as far as possible. ACLs are
effectively programs and they take a lot of testing when they are
modified.

I always try to turn the day-to-day changes into group-membership changes
as then the routine mods are just 'data' rather than 'program'.

One approach you might look at is to use two layers of groups: one to
categorise users by role (printer admin, user-support, accounts) and one
to give access to specific resources (password-writer,
home-address-reader, mail-address-reader). You can then make the role
groups members of the appropriate resource groups, which is a more
understandable way to express policy than typical ACLs.

More ideas here:

	http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------