[Fedora-directory-devel] ACI evaluation

Jeff Clowser jclowser at unitedmessaging.com
Mon Oct 10 13:56:50 UTC 2005 

I don't think the order in which they are processed matters (maybe very 
slightly from a performance pov, but not from a "what can I do" pov).

Denies take precedence over allows no matter where they are, and all 
aci's are cumulative, so your access is the combined set of permissions 
defined, no matter the order they are in.  Also, deny is the default, so 
a lack of an aci to allow something will deny it (FWIW, I never use deny 
aci's if at all possible, because there is no way to override them with 
a subsequent allow - better to carefully define what you allow and where).

This is much different than openldap aci's, where the order is very 
important.

In your example, presumably anonymous will have some base level of 
access, and config, directory, and group admin aci's will give 
additional access.  Adding a user to each of these groups will extend 
their access by what each aci allows, and putting users in more than one 
of these groups will just allow them more access, but the order they 
appear in doesn't matter (and given that they are in the same entry, 
there is no way to specify/guarantee the order anyway).

 - Jeff

discover wrote:

> Thanks David . Regarding the order of ACI , I meant for example, say 
> there are 4 ACIs on dc=example,dc=com.
> One for config admins, one for directory admins, Anonymous Access and 
> one for group admin listed in that order. Whether this particular 
> order has any impact ? Or the order is insignificant ?
>
> David Boreham wrote:
>
>> discover wrote:
>>
>>> Is there any way to see the order of ACI evaluation for search/mod 
>>> ...etc ? 
>>
>>
>>
>> Not easily. You might me able to glean some information by enabling
>> access control logging and looking at the error log output when you 
>> submit
>> an operation.
>>
>>> Also does the order of ACI impact the performance ?
>>
>>
>>
>> Probably not. (not sure if you mean the order the aci attributes
>> are added to the DS -- in that case absolutely not; or if you
>> are asking about the internal ordering of clauses within a
>> single aci -- in that case probably not).
>>
>> To gain a total understanding you'd really need to step through
>> the code in the debugger, which would only suit those
>> with a strong constitution.
>>
>>
>>
>> -- 
>> Fedora-directory-devel mailing list
>> Fedora-directory-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-devel
>>
>
>
> -- 
> Fedora-directory-devel mailing list
> Fedora-directory-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-devel

More information about the Fedora-directory-devel mailing list