Hello everybody,

I'm trying to reach a better understanding of the UA security model. By
this I mean the various levels and layers that define wheter a user can
or cannot read/write an attribute through specific portlets of the UA.
This is important for me to properly configure the UA to do behave in a
specific way, outlined lower in this message.

1. UA Security Model
====================

Consider for instance the "detail" portlet used for modifying one's own
first name.

1. The logged on user has to be allowed to execute the portlet.
2. The logged on user has to be allowed to read/write the attribute
through the "directory abstraction layer" (question here : is there any
ACL on attributes at this level or is this an "everybody-or-nobody"
configuration for each attribute ?).
3. The logged on user has to be allower to read/write the attribute at
the Vault/eDir level (ACLs on the object and attribute).

Is my description above correct or am I missing something here ?

2. Specific behavior in UA
==========================

With this in mind, here's the actual problem we're facing :

We have developped additional portlets to create a new identity in the
Vault/eDir and to modify an existing identity in the Vault/eDir. The
create identity portlet browses for available containers in which to
create the new identity through the ContainerLookup portlet/control.
The modify identity portlet browses for available users to modify
through the ParamLookup portlet/control.

We want to be able to restrict the scope when browsing through these
portlets to specific OUs on a per-user basis (e.g. allow the HRmanager
from the SALES OU to only try create/modify in the SALES OU, and so on).
We could do that by setting ACLs on other OUs that would prevent a user
from one OU from browsing other OUs.

But... What would happen in the Organization Chart portlet ? I suspect
the users would only be able to see users from their own OU, which is
not intended. Is this right ?

In addition, if there's anyone understanding what we're trying to do,
I'd appreciate comments/suggestions regarding other ways to reach our goal.

Thanks in advance for any hint regarding this,

Jerome