On 28.11.2010, at 17.01, Charles Marcus wrote:
It 'kind of' sounds like you're referring ("Probably they should be merged...") to something that has been discussed previously, namely, ACL 'inheritance'. Any chance that true ACL inheritance (change the parent, ACLs propogate to all sub-folders that have the 'inherit' flag set) could be added to this list? Or would that constitute more invasive changes?
ACL inheritance would require much more thinking about how exactly it should work. Otherwise it's just going to cause unexpected results.
For large/complex environments, it would also be *really* nice if there was a tool available to get a resulting tree 'view' of the ACLs and where each got set, to make sure that what you set is what you wanted - something like Microsoft's GPResult tool for checking the results of Group Policies in a Windows Domain environment. The tool could give a broad overview of an entire mail system, or on a more granular level, who has access to any given users folders, or, show all access rights to all folders that any given user has access to, etc... maybe even check ACLs against file-system permissions to make sure there are no conflicts there... anyway, just thinking out loud...
I have no idea about GPResult, but yeah, I've been thinking about some day adding "doveadm acl" command for manipulating ACLs and also giving a human-readable output of what ACLs exist for mailbox and asking what rights to what mailboxes different specific users would have.