test

Technical Note: Sun Java System Access Manager ACI Guide

User ACIs

ACI 1:

aci: (targetattr = "objectclass  || inetuserstatus || iplanet-am-user-login-status 
|| iplanet-am-web-agent-access-allow-list || iplanet-am-domain-url-access-allow 
|| iplanet-am-web-agent-access-deny-list || iplanet-am-user-account-life 
|| iplanet-am-session-max-session-time || iplanet-am-session-max-idle-time 
|| iplanet-am-session-get-valid-sessions || iplanet-am-session-destroy-sessions 
|| iplanet-am-session-add-session-listener-on-all-sessions 
|| iplanet-am-user-admin-start-dn || iplanet-am-auth-post-login-process-class")
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX)))
(version 3.0; acl "S1IS User status self modification denied"; 
deny (write) userdn="ldap:///self";)

This ACI specifically prevents users from writing or modifying certain attributes (mentioned in the target attribute of the ACI) to their own directory entry. Of course, if these entries needed to be modified, an Admin user would be able to do it.

ACI 2:

aci: (targetattr != "iplanet-am-static-group-dn  || uid || nsroledn || aci 
|| nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || memberOf 
|| iplanet-am-web-agent-access-allow-list || iplanet-am-domain-url-access-allow 
|| iplanet-am-web-agent-access-deny-list")
(version 3.0; acl "S1IS Allow self entry modification except for nsroledn, aci, 
and resource limit attributes"; allow (write)userdn ="ldap:///self";)

This ACI specifically prevents users from writing or modifying certain attributes to their own directory entry. But the Organization Admin Role ACIs defined override this ACI and allows self modification of the nsroledn attribute, so that administrators can assign themselves certain service roles and lesser or equal privileged admin roles. This is because the current ACIs prevent the organization admin from assigning the top-level admin roles.

ACI 3:

aci: (targetattr != "aci  || nsLookThroughLimit || nsSizeLimit  || nsTimeLimit 
|| nsIdleTimeout  || iplanet-am-domain-url-access-allow") (version 3.0; 
acl "S1IS Allow self entry read search except for nsroledn, aci, resource limit 
and web agent policy attributes"; allow (read,search)userdn ="ldap:///self";)

This ACI specifically allows users to read or search certain attributes from their own directory entry. But this ACI does not allow the following target attributes to be read by the users in their own directory entries: aci, nsLookThroughLimit, nsSizeLimit, nsTimeLimit, nsIdleTimeout, and iplanet-am-domain-url-access-allow.

ACI 4:

aci: (targetattr = "*")(version 3.0; 
acl "S1IS Deny deleting self"; deny (delete) userdn  ="ldap:///self";)

This ACI specifically prevents users from deleting all attributes from their own directory entries.