Proposed change 2003.4: "mnt-lower:" on set objects
Colleagues, This is one of a number of proposed changes to the way the RIPE Database works. These are changes that are intended to make the database work more consistently, as well as provide an increased level of security and control to users. Please have a look, and discuss it here. [2003.4] Addition of "mnt-lower:" to set objects ------------------------------------------------ Change: The "mnt-lower:" attribute will be optional for all set object types, which are as-set, filter-set, peering-set, route-set, and rtr-set. The "mnt-lower:" must authorise creation when hierarchical names are used. If it is not present, "mnt-by:" must authorise the creation. Motivation: The set objects in RPSL allow hierarchical names. The rules for authorising creation of such an object is documented in RPSS, and specifies that when an AS is used in the name, "mnt-lower:" on the aut-num object may authorise the creation, otherwise "mnt-by:" of the aut-num is used. In this case: as-set: AS1:AS-foo If AS1 had a "mnt-lower:" attribute, the maintainer listed there would have to authenticate the creation, otherwise the "mnt-by:" of AS1 would be used. This allows the administrator of an aut-num to delegate authority to create sets to maintainers without having to allow them to modify the aut-num itself. This functionality is not present within the set classes themselves. For example: as-set: AS1:AS-Foo:AS-Bar If AS1:AS-Foo object is allowed to have the "mnt-lower:" attribute, a maintainer that can create AS1:AS-Foo:AS-Bar but not modify AS1:AS-Foo can be used. -- Shane Kerr RIPE NCC
participants (1)
-
Shane Kerr