Details
-
New Feature
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
Description
Support for modifying an ace with more specific details to support advanced usage of privileges with restrictions.
These are a few of the use cases:
- Setting a restriction for a specific privilege instead of for all privileges
- Removing a restriction from a specific privilege
- Privilege can set for the 'allow' and 'deny' state at the same time if those have different restrictions
- Privilege can be unset for 'allow' or 'deny' state while leaving the other state alone
The proposal is to supporting these additional request parameters:
One param for each privilege to delete. The parameter value must be either 'allow', 'deny' or 'all' to specify which state to delete from. privilege@[privilege_name]@Delete One param for each restriction value. The same parameter name may be used again for multi-value restrictions. The @Allow or @Deny suffix specifies whether to apply the restriction to the 'allow' or 'deny' privilege. The value is the target value of the restriction to be set. restriction@[privilege_name]@[restriction_name]@Allow restriction@[privilege_name]@[restriction_name]@Deny One param for each restriction to delete. The parameter value must be either 'allow', 'deny' or 'all' to specify which state to delete from. restriction@[privilege_name]@[restriction_name]@Delete
For consistency, also extend the values allowed for the "privilege@[privilege_name]" parameter to accept 'allow' or 'deny' as aliases for 'granted' or 'denied'.
