Expires April 16, 2001
Anne Hopkins, Microsoft Corporation
Access Control Extensions to WebDAV
Status of this Memo
This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.
This document specifies a set of methods, headers, and resource-types that define the WebDAV Advanced Access Control extensions to the HTTP/1.1 protocol.
Table of Contents
This protocol defines advanced extensions to the access control protocol. In particular, finer control over inheritance and control over individual property access control is defined.
The augmented BNF used by this document to describe protocol elements is described in Section 2.1 of [RFC2068]. Because this augmented BNF uses the basic production rules provided in Section 2.2 of [RFC2068], those rules apply to this document as well.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
This specification defines a number of new properties for WebDAV resources. Access control properties may be set and retrieved just like other WebDAV properties, using the PROPFIND and PROPPATCH method (subject to permissions and “liveness.”
· DAV:protectaclfrominheritance: A "live" property indicating that the ACL does not inherit any ACEs. If this property is present, the ACL should contain no ACEs with the DAV:inherited element present. If this property is not present and the system supports ACL inheritance, then the ACL will contain inheritable ACEs from its parent resource. If a resource without this property present is updated with this property, it is a client choice whether to remove the inherited ACEs or retain them but remove the DAV:inherited element from the ACEs.
The DAV:ace element of a the DAV:acl property contains the following additional XML elements:
· DAV:acepropertytypes: A "live" property containing one or more elements, each of which is an XML tag identifying either a property on this resource or a property on a child resource that may inherit this ACE. Presence of DAV:acepropertytypes distinguishes this ACE as a "Property ACE." The permissions associated with a "Property ACE" control access to only the property(ies) contained in DAV:acepropertytypes, and do not control access to the resource as a whole. The set of access permissions supported on Property ACEs may be all or a subset of the DAV:access-permissions present on this resource. This spec does not provide a mechanism to specify a different set of access-permissions for a property, than for the resource. An implementation that supports a different set of access-permissions for a property than for the resource, must return an error "Unsupported Permission" on an attempt to write a Property ACE with permissions not supported by the server. [OPTIONAL]
· DAV:inherittochildtype: A "live" property containing one or more elements, each of which is an XML tag identifying the type of child object that will inherit this ACE. This property is only present if DAV:inheritanceflags contains at least one of the following: DAV:inheritonly, DAV:containerinherit, or DAV:objectinherit. A child of the current resource will only inherit this ACE if the type of the child object is present in DAV:inherittochildtype.
· DAV:inheritanceflags: A "live" property containing flags indicating the inheritance features of this ACE. For an ACE that is neither inherited, nor inheritable, this element may be either not present, or present but empty. [OPTIONAL]
The DAV:inheritanceflags element contains 0 or more of the following XML elements:
· DAV:inherited: This flag indicates the ACE is inherited from the ACL on a different resource, identified in DAV:inheritancesource. This flag MUST be present for an inherited ACE and MUST NOT be present for an explicit ACE. This flag must not be present if the DAV:protectaclfrominheritance element is present on this resource unless the DAV:inheritancesource element contains the special value DAV:system-ace, indicating that this ACE wasn't really inherited, but reflects implicit system-granted permissions. [REQUIRED]
· DAV:inheritonly: This flag indicates the ACE should be ignored during access check. The ACE is present for the purposes of inheritance only and does not affect the security of the current resource. [OPTIONAL]
· DAV:containerinherit: This flag indicates that container objects inherit this ACE as an effective ACE. The DAV:inheritonly flag, if also present on this ACE, will be removed from the inherited effective ACE on the container. If the DAV:nopropagateinheritance flag is present on the current ACE, the DAV: containerinherit flag is removed from the inherited ACE on the container. [REQUIRED]
· DAV:objectinherit: This flag indicates that non-container resources inherit this ACE as an effective ACE. The DAV:inheritonly flag, if also present on this ACE, will be removed from the inherited effective ACE on the non-container resource. If the DAV:nopropagateinheritance> flag is not present, then container resources will also inherit this ACE with the addition of the DAV:inheritonly> flag. [REQUIRED]
· DAV:nopropagateinheritance: This flag indicates the ACE should be inherited one level only. If an object inherits this ACE, the DAV:containerinherit and DAV:objectinherit flags are removed from the resultant inherited ACE, preventing further propagation of this ACE. [OPTIONAL]
To support a more scalable administration model for configuration of access control information, the spec defines an ACL inheritance model that enables an ACL, or elements of an ACL, to be inherited and reused by other resources. An ACL-compliant implementation is not required to support inheritance. Typically, an ACL defined on a container resource may be inherited by children of that container, grandchildren if they exist, and so on down the tree. Although this hierarchical tree model of inheritance is popular, this spec does not require an implementation's ACL inheritance model to follow a tree structure where child resource inherits from parent resource. Nonetheless, for convenience, this description of inheritance assumes that a child resource would inherit access control information from its parent.
Access control information is inherited at the granularity of an ACE. An inherited ace is identified by the presence of the DAV:inherited element in the DAV:inheritanceflags property. An "Explicit" ACE is an ACE defined directly on a resource, rather than inherited from a different resource. An ACE without the DAV:inherited element is by definition an Explicit ACE. Only Explicit ACEs may updated by the client.
To indicate that an ACE should be inherited by child resources, the DAV:inheritanceflags should contain:
· DAV:objectinherit to indicate that non-container children should inherit the ACE,
· DAV:containerinherit to indicate that container children should inherit the ACE, or
· both to indicate that all child resources should inherit the ACE.
When a child resource ACL inherits an ACE, the DAV:inherited flag is present on the ACE to indicate that this ACE is read-only (it may only be edited on the resource where the ACE was explicitly defined). To assist users who want to make changes to the permissions that appear in an inherited ACE, the resource from which the ACE was inherited (and therefore, on which the explicit ACE is defined and editable) is identified in the DAV:inheritancesource property. If the inheritance source cannot be determined or if the system is unable to generate a valid URI to the resource from which the ACE was inherited, DAV:inheritancesource contains the special tag DAV:unknown.
In some cases, an ACE (whether explicit or inherited) may be present on a container ACL purely for the sake of propagating the ACE to child objects and NOT to be used for access control on the container itself. In this case, the optional DAV:inheritonly flag is present on the ACE to indicate it should not be used for access check on this container.
To indicate that an ACE should be inherited by children, but not by grandchildren or any further down the tree, the optional DAV:nopropagateinheritance flag is present on the ACE. This flag indicates that when this ACE is inherited by child objects, the DAV:objectinherit and/or DAV:containerinherit elements must be removed from the inherited ACE.
To prevent an ACL from inheriting any ACEs, the optional DAV:protectaclfrominheritance property is set on the resource. If this property is present on a resource, the DAV:inherited element must not be present on any ACEs in that resource's ACL. Other inheritance flags may be present on the ACEs of this resource, since this ACL may be the source of inheritable ACEs for the subtree under this resource.
To be supplied.
To be supplied.
Authentication mechanisms defined in WebDAV will also apply to WebDAV ACL.
This document uses the namespace defined by [RFC2518] for XML elements. All other IANA considerations mentioned in [RFC2518] also applicable to WebDAV ACL.
The following notice is copied from RFC 2026, section 10.4, and describes the position of the IETF concerning intellectual property claims made against this document.
The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use other technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director.
This protocol is the collaborative product of the WebDAV ACL design team: xxx, yyy, zzz. We would like to acknowledge the foundation laid for us by the authors of the WebDAV and HTTP protocols upon which this protocol is layered, and the invaluable feedback from the WebDAV working group.
To be supplied.
[RFC2026] S.Bradner, "The Internet Standards Process", Harvard, 1996, <http://www.ietf.org/rfc/rfc2026.txt>.
[RFC2068] R.Fielding, J.Gettys, J.C.Mogul, H.Frystyk, and T.Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2068, U.C. Irvine, DEC, MIT/LCS, 1997, <http://www.ietf.org/rfc/rfc2068.txt >.
[RFC2119] S.Bradner, "Key words for use in RFCs to Indicate Requirement Levels", Harvard, 1997, <http://www.ietf.org/rfc/rfc2119.txt >.
[RFC2518] Y. Goland, E.Whitehead, A.Faizi, S.R.Carter, D.Jensen, "HTTP Extensions for Distributed Authoring - WEBDAV", Microsoft, U.C.Irvine, Netscape, Novell, 1999 <http://www.ietf.org/rfc/rfc2518.txt>.
One Microsoft Way
· Revisit description of Property ACEs to reflect group agreement. Add sample code. Anne will need to update Semantics descriptions to address property ACEs.