Variables in ACL's

Submit your RBAC policies or suggest policy improvements

Variables in ACL's

Postby superbock » Wed Apr 23, 2003 2:40 pm

Hello Brad,

Let's say i have a bunch of users all belonging to the same group.
I wish to have only one role ACL for that group, but for that to work some objects must be referenced with a variable (/home/$USER for example).

Is this viable? If so, are there any plans for implementing this on 2.0 or more in the future?

If this isn't possible/implemented, should i expect some severe performance hit running around 100 of very similar role ACL's ?

Thanks again.
superbock
 
Posts: 37
Joined: Sun Mar 31, 2002 6:34 pm

Postby spender » Wed Apr 23, 2003 2:57 pm

It would probably be better to do a group role for your users. The DAC and MAC will work together to essentially give you what you would do with individual roles. You can use the wildcarding like /home/*/directory and such as well. Variable support isn't in yet, but it will be implemented at some point. You won't see any performance hit no matter how many rules you have. It will take a considerable amount of memory, however, to have so many roles (especially if you have a lot of large subjects in each of them), which is why i suggested the group role.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby superbock » Wed May 07, 2003 10:18 am

The file structure in this case does not allow me to close things as much as i would like to if i rely on DAC. Roles is the way. Glad to know that about variable support, it's a great feature and i can't wait to try it out.

Thanks
superbock
 
Posts: 37
Joined: Sun Mar 31, 2002 6:34 pm


Return to RBAC policy development