[Andreas Schuldei] > I am working on the access control handling for user passwords (and > other attributes) > > i am just now trying to come up with a generic algorythm to > determine who is allowed to write to a user's ldap entry, depending > on which authority groups he is in. right now we have theses > authority groups by default: admins, jradmins, teachers and students > > the basic rule is simple: > - if a person is in the admins group , no one can write to his > entry
No-one else but the admin user and himself, I suspect you mean here. > - if he is in jradmins, his entry is writeable by members of the > group admins and Which fields can the admin group members write to? > - if he is in student or teacher he is writeable by both admins > and jradmins. Same fields as above, I suspect? The above rules look good to me. We should make it simple for now, and leave the more complex access control rules to the Cerebrum implementation. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
