On Wed, Jul 31, 2013 at 06:11:02PM +0000, Jancewicz, Russell wrote:
> Should I create a single entry per account I want to give access, granting
> all attributes they would need read/write access to with a particular filter?
No - you will end up having to change the ACLs every time you add a user.
> Or would I be better off grouping access granting to members of the groups
> and adding individual rules for special edge cases?
Much better, but try to avoid those edge cases too!
> Or are both these ideas off base and something else would be preferred?
>
> Currently I am granting access by groups with access to collections of
> attributes, however as I am discovering that some accounts need access to
> those attributes with different filters my rules are continually shifting and
> growing.
Try to cut the complexity of ACLs as far as possible. ACLs are
effectively programs and they take a lot of testing when they are
modified.
I always try to turn the day-to-day changes into group-membership changes
as then the routine mods are just 'data' rather than 'program'.
One approach you might look at is to use two layers of groups: one to
categorise users by role (printer admin, user-support, accounts) and one
to give access to specific resources (password-writer,
home-address-reader, mail-address-reader). You can then make the role
groups members of the appropriate resource groups, which is a more
understandable way to express policy than typical ACLs.
More ideas here:
http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
