[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Granting rights based on relationships

At 04:14 PM 6/7/00 -0400, Mark Valence wrote:
 >Yup.  An arbitrary number of "links" though, and not just starting
 >from the current object.

"arbitrary" scares me... and "not just" should be well defined.
I can see relationships between the target (to entry) and the
subject (by entry) going in either direction, not sure were
else you'd start the processing.

Those are the only two, really. Although what I've got allows for "starting" at any DN. So "not just" means "subject also" (as well as target), with the addition any DN. DNs are not absolutely necessary, but someone might want to use them. "arbitrary" means that the code will present no limit. This does not mean that there couldn't be some configured limit, in order to save resources.

We'd, of course, have to
deal with loop detection, dead lock avoidance, etc.  And they
would be expensive.

I've taken care of loop detection. Not sure what you mean by deadlock in this context.

As far as arbitrary number of links goes (though it scares me),
we likely should expand group membership recursively as well
(per X.500).  And then we should provide a separate "role"
which doesn't recurse.

The basic functionality that I've got will handle recursive group membership. That is, we could use the same code separate from the "relationship" syntax we're talking about here.

Similiarily for dnattr, we likely should have two forms.  One
which has a fixed depth (defined by number of attributes provided)
and one which allows recursion.

	dnattr=manager	(direct manager)
	dnattr=*manager	(my manager and his manager and her manager)
	dnattr=2*manager	(up to two levels)

	dnattr=manager/secretary	(my manager's secretary)
	dnattr=*manager/secretary	(secretaries of my management chain)

dnattr=siblings/2*children children of my siblings and their children,
but not their grandchildren 

Yup, the syntax does this.

 >Is this of any interest?  I can give you a full syntax if you want.

Well, for me, only to a limited degree.  But I could see how
others might find it useful.