Problem with a real group dn is that we would need to expose that at the security context, but actually can't (in reality), as we don't know what that would look like in Globus, gLite, GFS etc. The example Osamu refers to currently reads: dn_user = "O=dutchgrid, O=vu, CN=Andre Merzky"; dn_group = "O=dutchgrid, O=vu, CN=*"; I would propose to extend the example, with: dn_group = "O=dutchgrid, O=project-123, CN=*" where this DN would be issued to multiple users, belonging to that project, which is not in an organizational name space. What do you think? Andre. Quoting [Thilo Kielmann] (Sep 08 2006):

As promised, here is the condensed feedback from Osamu (chair GFS-WG) about the use of ACL's in SAGA:

----- Forwarded message from Osamu Tatebe <tatebe@cs.tsukuba.ac.jp> -----

...

In my personal opinion, group (or virtual organization) should not be related to the user's dn since the user's dn is basically issued by an organization he belongs to. Group should be formed more flexibly, although I am not sure there is a standard candidate of the group or not.

In my personal opinion, this means we should modify our example of the group ACL, then showing a more "virtual organization" in there. (At the end, it will be a "group DN" ???)

Regards,

Thilo

-- "So much time, so little to do..." -- Garfield