Re: Proposed Update to Netconf Charter

["Tom Petch" <nwnetworks@dial.pipex.com>]

<inline>
Tom Petch

----- Original Message -----
From: "Andy Bierman" <ietf@andybierman.com>
To: <dbharrington@comcast.net>
Cc: "'Sharon Chisholm'" <schishol@nortel.com>; <netconf@ops.ietf.org>
Sent: Wednesday, July 06, 2005 12:14 AM
Subject: Re: Proposed Update to Netconf Charter
<snip>
>
> Since you asked...
>
> IMO, we need a simple 2-tier access control model
> that is independent of higher layer abstractions.
>
> 1) access is by group-name, and a group contains a list of user names.
>    A user can be included in any number of groups.

I would like to see groups permitted to contain group-names as well as users, at
least in a simple tree structure (ie recursive membership not allowed).  This
has been a feature of Windows-style access control for many years and I would
not want to be without it, particularly when there are predefined groups (eg
from the provider of the software, not necessarily specified in a standard) to
help get the system up and running quickly.


>
> 2) tier 1 is RPC method access, which is defined by the tuple:
>       { namespace-uri, method-name }
>    and access is granted by configuring via the tuple
>       { namespace-uri, method-name, group-list }

<snip>


--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>