ACIs That are Removed by the amtune-directory Script (Technical Note: Sun Java System Access Manager ACI Guide)

Technical Note: Sun Java System Access Manager ACI Guide

ACIs That are Removed by the `amtune-directory` Script

The following ACIs in the remacis.ldif file are removed by the amtune-directory script when Access Manager is installed in Realm Mode:

ACI 1:

aci: (target="ldap:///ROOT_SUFFIX")
(targetfilter=(entrydn=ORG_ROOT_SUFFIX))(targetattr="*")
(version 3.0; acl "S1IS Default Organization delete right denied";  
deny (delete) userdn = "ldap:///anyone"; )

ACI 2:

aci: (target="ldap:///ROOT_SUFFIX")
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX)))(targetattr = "*") 
(version 3.0; acl "S1IS Top-level Help Desk Admin Role access allow"; 
allow (read,search) roledn = "ldap:///cn=Top-level Help Desk Admin Role,ROOT_SUFFIX";)

ACI 3:

aci: (target="ldap:///ROOT_SUFFIX")
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX)))
(targetattr = "userPassword") (version 3.0; 
acl "S1IS Top-level Help Desk Admin Role access allow"; allow (write) 
roledn = "ldap:///cn=Top-level Help Desk Admin Role,ROOT_SUFFIX";)

ACI 4:

aci: (target="ldap:///ROOT_SUFFIX")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX))))(targetattr = "*") 
(version 3.0; acl "S1IS Top-level Policy Admin Role access allow"; 
allow (read,search) roledn = "ldap:///cn=Top-level Policy Admin Role,ROOT_SUFFIX";)

ACI 5:

aci: (target="ldap:///ou=iPlanetAMAuthService,ou=services,*ROOT_SUFFIX")
(targetattr = "*") (version 3.0; 
acl "S1IS Top-level Policy Admin Role access Auth Servi ce deny"; 
deny (add,write,delete) roledn = "ldap:///cn=Top-level Policy Admin Role,ROOT_SUFFIX";)

ACI 6:

aci: (target="ldap:///ou=services,*ROOT_SUFFIX")
(targetattr = "*") (version 3.0; acl "S1IS Top-level Policy Admin Role access allow"; 
allow (all) roledn = "ldap:///cn=Top-level Policy Admin Role,ROOT_SUFFIX";)

ACI 7:

aci: (target="ldap:///ROOT_SUFFIX")
(targetfilter="(objectclass=ORG_OBJECT_CLASS)")
(targetattr = "sunRegisteredServiceName") (version 3.0; 
acl "S1IS Top-level Policy Admin Role access allow"; allow (read,write,search) 
roledn = "ldap:///cn=Top-level Policy Admin Role,ROOT_SUFFIX";)

ACI 8:

aci: (targetattr != "aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit 
|| nsIdleTimeout || iplanet-am-domain-url-access-allow") (version 3.0; 
acl "S1IS Allow self entry read search except for nsroledn, aci, resource limit 
and web agent policy attributes"; allow (read,search)userdn ="ldap:///self";)

ACI 9:

aci: (target="ldap:///ou=iPlanetAMAdminConsoleService,*,ROOT_SUFFIX")
(targetattr = "*")(version 3.0; 
acl "S1IS iPlanetAMAdminConsoleService anonymous access"; 
allow (read, search, compare) userdn = "ldap:///anyone";)

ACI 10:

aci: (target="ldap:///($dn),ROOT_SUFFIX")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Help Desk Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Policy Admin Role,ROOT_SUFFIX))))
(targetattr != "nsroledn")(version 3.0; 
acl "S1IS Organization Admin Role access allow all"; 
allow (all) roledn = "ldap:///cn=Organization Admin Role,[$dn],ORG_ROOT_SUFFIX";)

ACI 11:

aci: (target="ldap:///cn=Organization Admin Role,($dn),ORG_ROOT_SUFFIX")
(targetattr="*")(version 3.0; acl "S1IS Organization Admin Role access deny"; 
deny (write,add,delete,compare,proxy) roledn = "ldap:///cn=Organization Admin Role,
($dn),ORG_ROOT_SUFFIX";)

ACI 12:

aci: (target="ldap:///($dn),ROOT_SUFFIX")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Help Desk Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Policy Admin Role,ROOT_SUFFIX))))
(targetattr != "nsroledn")(version 3.0; acl "S1IS Container Admin Role access allow"; 
allow (all) roledn = "ldap:///cn=Container Admin Role,[$dn],ORG_ROOT_SUFFIX";)

ACI 13.

aci: (target="ldap:///cn=Container Admin Role,($dn),ORG_ROOT_SUFFIX")
(targetattr="*")(version 3.0; acl "S1IS Container Admin Role access deny"; 
deny (write,add,delete,compare,proxy) 
roledn = "ldap:///cn=Container Admin Role,($dn),ORG_ROOT_SUFFIX";)

ACI 14:

aci: (target="ldap:///ROOT_SUFFIX")
(targetattr!="nsroledn")(version 3.0; 
acl "S1IS Group admin's right to the users he creates"; 
allow (all) userattr = "iplanet-am-modifiable-by#ROLEDN";)

ACI 15:

aci: (target="ldap:///ROOT_SUFFIX")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Help Desk Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Policy Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Organization Admin Role,ORG_ROOT_SUFFIX))))(targetattr = "*") 
(version 3.0; acl "S1IS Organization Help Desk Admin Role access allow"; 
allow (read,search) 
roledn = "ldap:///cn=Organization Help Desk Admin Role,ORG_ROOT_SUFFIX";)

ACI 16:

aci: (target="ldap:///ROOT_SUFFIX")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Help Desk Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Policy Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Organization Admin Role,ORG_ROOT_SUFFIX))))
(targetattr = "userPassword") (version 3.0; 
acl "S1IS Organization Help Desk Admin Role access allow"; 
allow (write) roledn = "ldap:///cn=Organization Help Desk Admin Role,ORG_ROOT_SUFFIX";)

ACI 17:

aci: (target="ldap:///ou=People,ORG_ROOT_SUFFIX")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Help Desk Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Policy Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Organization Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Container Admin Role,ORG_ROOT_SUFFIX))))
(targetattr != "iplanet-am-web-agent-access-allow-list 
|| iplanet-am-domain-url-access-allow || iplanet-am-web-agent-access-deny-list 
|| nsroledn") (version 3.0; acl "S1IS Group and people container admin role"; 
allow (all) roledn = "ldap:///cn=ou=People_NM_ORG_ROOT_SUFFIX,ORG_ROOT_SUFFIX";)