Page Navigation:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72
Printable Version: RFC2244.PDF
RFC 2244 ACAP November 1997
attributes. Otherwise, all US-ASCII digits (octet values
0x30 to 0x39) are interpreted starting from the beginning of
the string to the first non-digit or the end of the string.
3.5. Access Control Lists (ACLs)
An access control list is a set of identifier, rights pairs used to
restrict access to a given dataset, attribute or attribute within an
entry. An ACL is represented by a multi-value with each value
containing an identifier followed by a tab character followed by the
rights. The syntax is defined by the "acl" rule in the formal syntax
in section 8.
Identifier is a UTF-8 string. The identifier "anyone" is reserved to
refer to the universal identity (all authentications, including
anonymous). All user name strings accepted by the AUTHENTICATE
command to authenticate to the ACAP server are reserved as
identifiers for the corresponding user. Identifiers starting with a
slash ("/") character are reserved for authorization groups which
will be defined in a future specification. Identifiers MAY be
prefixed with a dash ("-") to indicate a revocation of rights. All
other identifiers have implementation-defined meanings.
Rights is a string listing a (possibly empty) set of alphanumeric
characters, each character listing a set of operations which is being
controlled. Letters are reserved for "standard" rights, listed
below. The set of standard rights may only be extended by a
standards-track or IESG approved experimental RFC. Digits are
reserved for implementation or site defined rights. The currently
defined standard rights are:
x - search (use EQUAL search key with i;octet comparator)
r - read (access with SEARCH command)
w - write (modify with STORE command)
i - insert (perform STORE on a previously NIL value)
a - administer (perform SETACL or STORE on ACL attribute/metadata)
An implementation may force rights to always or never be granted. In
particular, implementations are expected to grant implicit read and
administer rights to a user's personal dataset storage in order to
avoid denial of service problems. Rights are never tied, unlike the
IMAP ACL extension [IMAP-ACL].
It is possible for multiple identifiers in an access control list to
apply to a given user (or other authentication identity). For
example, an ACL may include rights to be granted to the identifier
matching the user, one or more implementation-defined identifiers
Newman & Myers Standards Track [Page 17]