[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: other authority groups?

[Andreas Schuldei]
> I am working on the access control handling for user passwords (and
> other attributes)
> i am just now trying to come up with a generic algorythm to
> determine who is allowed to write to a user's ldap entry, depending
> on which authority groups he is in.  right now we have theses
> authority groups by default: admins, jradmins, teachers and students
> the basic rule is simple: 
> - if a person is in the admins group , no one can write to his
>   entry 

No-one else but the admin user and himself, I suspect you mean here.

> - if he is in jradmins, his entry is writeable by members of the
>   group admins and 

Which fields can the admin group members write to?

> - if he is in student or teacher he is writeable by both admins
>   and jradmins.

Same fields as above, I suspect?

The above rules look good to me.  We should make it simple for now,
and leave the more complex access control rules to the Cerebrum

Reply to: