Re: other authority groups?
[Andreas Schuldei]
> I am working on the access control handling for user passwords (and
> other attributes)
>
> i am just now trying to come up with a generic algorythm to
> determine who is allowed to write to a user's ldap entry, depending
> on which authority groups he is in. right now we have theses
> authority groups by default: admins, jradmins, teachers and students
>
> the basic rule is simple:
> - if a person is in the admins group , no one can write to his
> entry
No-one else but the admin user and himself, I suspect you mean here.
> - if he is in jradmins, his entry is writeable by members of the
> group admins and
Which fields can the admin group members write to?
> - if he is in student or teacher he is writeable by both admins
> and jradmins.
Same fields as above, I suspect?
The above rules look good to me. We should make it simple for now,
and leave the more complex access control rules to the Cerebrum
implementation.
Reply to: