Policy Aspects That Are Not Supported

Recall that the new Directory access control mechanisms do not support certain high-level policy orientations such as capabilities-based access control. This section lists some additional aspects of security policy that cannot be directly approached using the standardized mechanisms.

1. The standardized ACLs do not allow access permissions to be directly dependent on the time of day or date of the request. Time-dependent controls could be effected indirectly by using a default control which is periodically overridden by adding a higher precedence ACL. The override ACL would have to be manually removed at the point in time when the default control is to resume (actually it would not have to be completely removed, the precedence level could be lowered to eliminate its effect).
2. The standardized ACLs do not allow access permissions to be dependent on the point of origin of the request.
3. The standardized access control mechanisms do not support access control policies that make access decisions dependent on what has happened in the past.
4. The standardized access control mechanisms do not support policy involving requirements for encryption to achieve secrecy during computer interactions.
5. The standardized access control mechanisms do not directly control the depth of a subtree that may be accessed during a SEARCH operation. Level-dependent controls can be used to preclude the use of a particular level of a subtree by any SEARCH operation, but this does not flexibly support general policy statements such as: ``SEARCH operation results shall not return more than 3 levels of subtree information.''
6. The standardized access control mechanisms do not support access control policies regarding information disclosed in a continuation reference; more generally, the mechanisms do not address control of information known as knowledge which is used to allow a DSA to know that other DSAs exist and which objects the other DSAs have directly available. Continuation references occur in a referral and may also form part of a SEARCH result.