[Kolab-devel] Pre-KEP input on IMAP ACL enforcement

Jeroen van Meeuwen (Kolab Systems) vanmeeuwen at kolabsys.com
Wed Aug 3 16:46:49 CEST 2011 

Hello,

we have a use-case coming up for the enforcement of IMAP ACLs on certain 
folders. The use-case could be described as follows;

Manager requests access to the mailbox for Employee, and depending on what a 
corporate policy may include, this access request will either be accepted or 
denied, and may be awarded only temporarily.

That is to say, Manager may get a set of permissions applied to the Employee 
mailbox, such as 'read-only', for a period of $x days, after which the access 
needs to be revoked.

I was thinking of implementing such though LDAP attributes associated with the 
Employee (a kolabInetOrgPerson), in the form of a tuple:

  (<mail-folder>, <aci-subject>, <aci-rights> [, <utc-epoch>])

where:

- mail-folder

  Mandatory, in the form of a full path (i.e. user/employee at example.org or 
user/employee/Calendar at example.org), a wildcard (i.e. 
user/employee/%@example.org for one nested level of folders and 
user/employee/*@example.org for the complete tree).

- aci-subject

  Mandatory, either a valid identifier (i.e. 'manager at example.org' or 
'group:employee-managers at example.org') or a DN (i.e. 
uid=manager,ou=People,dc=example,dc=org), including specials such as 
'anonymous', 'anyone', 'self'.

- aci-rights

  Mandatory string, but may be an empty string "" to revoke any ACI rights.

- utc-epoch

  Optional, if set represents the UTC epoch 1) up to which the mandatory ACLs 
are to be enforced, 2) the (previously enforced) ACI entry is supposed to be 
completely removed.

An Employee's LDAP entry may thus look as follows:

  dn: uid=employee,ou=People,dc=example,dc=org
  uid: employee
  mail: employee at example.org
  (...snip...)
  kolabMailFolderACLEntry: ('user/employee at example.org',
    'uid=manager,ou=people,dc=example,dc=org',
    'lrs',
    1312987340)
  kolabMailFolderACLEntry: ('user/employee/*@example.org',
    'uid=manager,ou=people,dc=example,dc=org',
    'lrs',
    1312987340)
  kolabMailFolderACLEntry: ('user/employee/Calendar at example.org',
    'uid=manager,ou=people,dc=example,dc=org',
    'lrs')
  kolabMailFolderACLEntry: ('user/employee/Calendar at example.org',
    'uid=secretary,ou=people,dc=example,dc=org',
    'lrswit')
  (...snip...)

Kind regards,

Jeroen van Meeuwen

-- 
Senior Engineer, Kolab Systems AG

e: vanmeeuwen at kolabsys.com
t: +44 144 340 9500
m: +44 74 2516 3817
w: http://www.kolabsys.com

pgp: 9342 BF08

More information about the devel mailing list