Re: ACLs and such
Hans Wilmer escribió:: BTW, which IMAP clients or other programs are out there that allow users to easily edit their ACLs? A webclient to just set ACLs would also be ok. It would be *very* nice if I could tell our users to set the permissions they want on their mailfolders all on their own :) websieve can manage ACLs as well as sieve scripts. Bye -- Luca Olivetti Wetron Automatización S.A. http://www.wetron.es/ Tel. +34 93 5883004 Fax +34 93 5883007
Re: ACLs and such
On Thu, 6 Feb 2003, Hans Wilmer <[EMAIL PROTECTED]> wrote BTW, which IMAP clients or other programs are out there that allow users to easily edit their ACLs? A webclient to just set ACLs would also be ok. It would be *very* nice if I could tell our users to set the permissions they want on their mailfolders all on their own :) I just did a patch for IMP which does that, which is now in IMP's HEAD cvs branch. -- Chris Hastie
Re: ACLs and such
On Wed, Feb 05, 2003 at 07:47:45PM -0500, Rob Siemborski wrote: > So, Offhand, I think the rest of your mail is to special purpose for > general use, but I'll address this part of it, since its been brought up > before. At least the ability to automatically spread folders across several partitions depending on their names can contribute to performance. > Part of the design of cyrus includes the assumption that it's a bigger > helpdesk headache when users blow away their own acls (and lose access) > than it is if they are actually held bound to them. Therefore, within a > user's mailbox hierarchy, you cannot remove full rights for that user. This is a very good point, though it took me some time to understand it. I didn't realize that I cannot remove the 'a' flag from ACLs of user.* mailboxes for their owners. But I can still achieve what I want by creating an 'archives' hierarchy outside the 'user' hierarchy. With permissions set correctly, it's at least even more clear to the users what the archives-stuff is about. BTW, which IMAP clients or other programs are out there that allow users to easily edit their ACLs? A webclient to just set ACLs would also be ok. It would be *very* nice if I could tell our users to set the permissions they want on their mailfolders all on their own :) > There are various arguments against this, and I think the final > decision was that we look at an "implicit rights" patch, whereby > admins could specify what rights their users had on "their" > mailboxes implicitly (and I seem to remember Ken even made one), but > I can't locate it right now. Ken? So this provides control over what rights are inherited? Sounds good :) GH
Re: ACLs and such
On Thu, 6 Feb 2003, Hans Wilmer wrote: > BTW, which IMAP clients or other programs are out there that allow > users to easily edit their ACLs? A webclient to just set ACLs would > also be ok. It would be *very* nice if I could tell our users to set > the permissions they want on their mailfolders all on their own :) Mulberry and cyradm both do this (though most people don't immediately jump to the conclusion that cyradm is an IMAP client). -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Re: ACLs and such
On Wed, 5 Feb 2003, Ken Murchison wrote: > > Its in the 2.2 branch. Its probably possible to backport it, but IIRC > we discussed this and decided that 2.1 was in feature freeze. > Yeah, that makes sense. Need to go get my memory checked ;) -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Re: ACLs and such
Rob Siemborski wrote: > > On Wed, 5 Feb 2003, Hans Wilmer wrote: > > > cm user.test > > cm user.test.archives otherpartition > > > > sq user.test 100 > > sq user.test.archives 1000 > > > > sam user.test.archives test lrswipca > > > > > > ... and nevertheless allow user 'test' to delete mails and folders > > residing under user.test.archives by default? > > > > The point is that the user must not be able to delete his 'archives' > > folder, but he must be able to freely operate on anything that resides > > within that folder. > > So, Offhand, I think the rest of your mail is to special purpose for > general use, but I'll address this part of it, since its been brought up > before. > > Part of the design of cyrus includes the assumption that it's a bigger > helpdesk headache when users blow away their own acls (and lose access) > than it is if they are actually held bound to them. Therefore, within a > user's mailbox hierarchy, you cannot remove full rights for that user. > > There are various arguments against this, and I think the final decision > was that we look at an "implicit rights" patch, whereby admins could > specify what rights their users had on "their" mailboxes implicitly (and I > seem to remember Ken even made one), but I can't locate it right now. > Ken? Its in the 2.2 branch. Its probably possible to backport it, but IIRC we discussed this and decided that 2.1 was in feature freeze. -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: ACLs and such
On Wed, 5 Feb 2003, Hans Wilmer wrote: > cm user.test > cm user.test.archives otherpartition > > sq user.test 100 > sq user.test.archives 1000 > > sam user.test.archives test lrswipca > > > ... and nevertheless allow user 'test' to delete mails and folders > residing under user.test.archives by default? > > The point is that the user must not be able to delete his 'archives' > folder, but he must be able to freely operate on anything that resides > within that folder. So, Offhand, I think the rest of your mail is to special purpose for general use, but I'll address this part of it, since its been brought up before. Part of the design of cyrus includes the assumption that it's a bigger helpdesk headache when users blow away their own acls (and lose access) than it is if they are actually held bound to them. Therefore, within a user's mailbox hierarchy, you cannot remove full rights for that user. There are various arguments against this, and I think the final decision was that we look at an "implicit rights" patch, whereby admins could specify what rights their users had on "their" mailboxes implicitly (and I seem to remember Ken even made one), but I can't locate it right now. Ken? -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper