[Fedora-directory-users] ACI Design

[Radek Hladik]

I'm designing new directory for keeping records about our company 
computers, accounts, etc... I would like to have number of different 
access levels like support, management, network technician,... Every 
entry would have multivalued attribute named for example accessclass to 
determine its access and there would be role for every access level.
What is the best way to implement ACIs like "allow access to every entry 
with attribute accessclass=support for every member of role support"?
I've found out that there are 3 options:
1) Create separate ACI for each access class
2) Create Macro ACI using something like
roledn = "ldap:///($attr.accessclass),ou=roles,dc=....."
But it seems, that this macro expands to accessclass=support,ou=roles,..
and thus my roles would need to be named using accessclass attribute 
instead of common name...
3) Create ACI using userattr like this:
userattr = "accessclass#ROLEDN"
but this would require to have complete role RDN in user accessclass 
attribute.

Which way would you suggest?


Radek