ACIItem syntax (so the capability of the scheme) is defined for Basic Access Control Scheme within X.500. Any possible extensions to this scheme can be specified in a new access control scheme. Of course, extending the current scheme is also possible with leaving its name as it is. However this may lead to some problems of interoperability in the future. So extensions will be proposed for new access control schemes.

See also Administrative Model Extensions.

Extended Access Control Scheme

New UserClasses

• creator
• notCreator
• parent

The idea with the first two is to classify the user as either being the creator or not the creator of an entry. This can be determined by checking the operational attribute creatorsName within an entry. The convers of this, 'notCreator' also has merit. These two user classes come in handy when operations need to be granted or denied to users that are or are not the creator of an entry.

parent user class can be used to grant or deny access to an entry which is subordinate to the entry of the user in action.

New ProtectedItems

• allOperationalAttributeTypes
• allOperationalAttributeTypesAndValues
• allAttributeTypes
• allAttributeTypesAndValues

Enhanced Access Control Scheme

Use IP Address and or Hostname

We do not have this kind of information directly in the core, so it will be a bit hard to implement this. But we need it of course.

Use Time of Day and other time related information

This one is needed to implement a much precise security system which some access control standards require..