On 19/08/2010, at 1:00 PM, Randy Bush wrote: >> something which can take a couple of hundred basic and extended ACLs and >> tell you >> these <ten> don't work >> these <twenty> conflict >> the remaining <x> have a sequence and can reduce to this basic <x-y> set > > maybe you could go the other direction. as opposed to trying to digest > and correct cruft, generate the acls from something reasonable so that > they are canonic by construction. > > randy
A reasonable call. Its probably where we'll be by default, because there isn't anything there and I think first principles upward is better than paring back. Thanks for the responses (and Roland!) I think its clear a tool like I asked doesn't exist, and very probably won't, anytime soon. cheers -G
