ACLs and such

Hans Wilmer lee at yun.yagibdah.de
Thu Feb 6 09:47:47 EST 2003


On Wed, Feb 05, 2003 at 07:47:45PM -0500, Rob Siemborski wrote:

> So, Offhand, I think the rest of your mail is to special purpose for
> general use, but I'll address this part of it, since its been brought up
> before.

At least the ability to automatically spread folders across several
partitions depending on their names can contribute to performance.

> Part of the design of cyrus includes the assumption that it's a bigger
> helpdesk headache when users blow away their own acls (and lose access)
> than it is if they are actually held bound to them.  Therefore, within a
> user's mailbox hierarchy, you cannot remove full rights for that user.

This is a very good point, though it took me some time to understand
it. I didn't realize that I cannot remove the 'a' flag from ACLs of
user.* mailboxes for their owners.

But I can still achieve what I want by creating an 'archives'
hierarchy outside the 'user' hierarchy. With permissions set
correctly, it's at least even more clear to the users what the
archives-stuff is about.

BTW, which IMAP clients or other programs are out there that allow
users to easily edit their ACLs? A webclient to just set ACLs would
also be ok. It would be *very* nice if I could tell our users to set
the permissions they want on their mailfolders all on their own :)

> There are various arguments against this, and I think the final
> decision was that we look at an "implicit rights" patch, whereby
> admins could specify what rights their users had on "their"
> mailboxes implicitly (and I seem to remember Ken even made one), but
> I can't locate it right now.  Ken?

So this provides control over what rights are inherited? Sounds good :)


GH




More information about the Info-cyrus mailing list