Grouper Developers Forum

[Tom Barton <>]

In the agenda for next Wed's conference call I just sent out, I 
mentioned discussion of a possible enhancement to the way ldappc 
provisions signet permission objects. Here's a little background in advance.

Ldappc v1.0 supports two representations of a signet permission. One 
uses the prospective eduPermission object class to represent a 
permission object as one or more subordinate entries to the grantee's 
ldap entry. The other represents each permission object as one or more 
strings of form

<prefix>:<SubsystemId>:<PermissionId>:<ScopeId>:<LimitId>:<Limit>

where <prefix> is declared in the ldappc config file (eg, 
"urn:mace:example.edu:permissions"), and the other substrings are 
properties of the permission object being provisioned.

Neither approach enables ldappc to maintain an implementation-defined 
attribute value for (selected) permissions. Eg, express a permission as 
"eduPersonEntitlement: urn:mace:dir:entitlement:common-lib-terms".

I propose to define a mapping capability in ldappc, perhaps using xsl, 
to determine the string representation of signet privilege objects. The 
default string representation would be as it is currently. There'd be a 
list of privilege selection criteria and associated declarations that 
are effectively eval'd to produce the non-default string representation 
of corresponding privilege objects.

At least that's my fodder for our discussion this Wed. See you there.

Tom