The goal is to handle security on Directory access.
Directory descriptor should allow to specifiy some simple security restrictions:
Having READ is included in WRITE.
If no restriction is set on the directory descriptor, then default is :
- READ : EVERYONE
- WRITE : Administrators, powerusers
This default setup is consistent with the check we are already doing in the Automation and REST endpoints.
For some specific cases, we may want to have a per-entry check, at least for WRITE access.
ex : Power Users should not be able to edit admin accounts
For this of use case, we could introduce a kind of Directory SecurityPolicy DirectoryEntrySecurityManager.
For Repository backed Directories, the implementation could be ACL based, and we can define other implementation for specific directories.