AM Self
-------------------------------------------------------------------------------------------------------------
# # consolidate # aci: (targetattr = “*”) (version 3.0; acl “S1IS Deny deleting self”; deny (delete) userdn =”ldap:///self”;)
Action: Consolidate into a single self-write ACI. The explicit deny is not required, since end users do not have permission to delete any entry, including themselves.
This is one of several ACIs that set self-privileges. The explicit deny prevents any entry from deleting itself.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # consolidate # aci: (targetattr = “objectclass || inetuserstatus || iplanet-am-user-login-status || iplanet-am-web-agent-access-allow-list || iplanet-am-domain-url-access-allow || iplanet-am-web-agent-access-deny-list || iplanet-am-user-account-life || iplanet-am-session-max-session-time || iplanet-am-session-max-idle-time || iplanet-am-session-get-valid-sessions || iplanet-am-session-destroy-sessions || iplanet-am-session-add-session-listener-on-all-sessions || iplanet-am-user-admin-start-dn || iplanet-am-auth-post-login-process-class”) (targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix))) (version 3.0; acl “S1IS User status self modification denied”; deny (write) userdn =”ldap:///self”;)
Action: Consolidate into a single self-write ACI.
This is one of several ACIs that set self-write privileges.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # consolidate # aci: (targetattr != “iplanet-am-static-group-dn || uid || nsroledn || aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || memberOf || iplanet-am-web-agent-access-allow-list || iplanet-am-domain-url-access-allow || iplanet-am-web-agent-access-deny-list”) (version 3.0; acl “S1IS Allow self entry modification except for nsroledn, aci, and resource limit attributes”; allow (write) userdn =”ldap:///self”;)
Action: Consolidate into a single self-write ACI.
This is one of several ACIs that set privileges.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # consolidate # aci: (targetattr != “aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || iplanet-am-domain-url-access-allow”) (version 3.0; acl “S1IS Allow self entry read search except for nsroledn, aci, resource limit and web agent policy attributes”; allow (read,search) userdn =”ldap:///self”;)
Action: Consolidate into a single self-write ACI.
This is one of several ACIs that set self-write privileges.
-------------------------------------------------------------------------------------------------------------
- © 2010, Oracle Corporation and/or its affiliates