Exit Print View

Sun OpenDS Standard Edition 2.2 Administration Guide

Get PDF Book Print View
 
Previous Next

Document Information

Before You Start

Starting and Stopping Your Server Instance

Configuring the Server Instance

Configuring the Proxy Components

Configuring Security Between Clients and Servers

Configuring Security Between the Proxy and the Data Source

Configuring Servers With the Control Panel

Managing Directory Data

Replicating Directory Data

Controlling Access To Data

Managing Global ACIs With dsconfig

Default Global ACIs

To Display the Global ACIs

To Delete a Global ACI

To Add a Global ACI

Managing ACIs With ldapmodify

To View ACI Attribute Values

To Add an ACI

To Remove an ACI

Access Control Usage Examples

Disabling Anonymous Access

Granting Write Access to Personal Entries

Granting a Group Full Access to a Suffix

Granting Rights to Add and Delete Group Entries

Allowing Users to Add or Remove Themselves From a Group

Granting Conditional Access to a Group

Denying Access

Defining Permissions for DNs That Contain a Comma

Proxy Authorization ACIs

Viewing Effective Rights

The Get Effective Rights Control

Using the Get Effective Rights Control

Understanding Effective Rights Results

Restricting Access to the Get Effective Rights Control

Managing Users and Groups

Monitoring Sun OpenDS Standard Edition

Improving Performance

Advanced Administration

Understanding Effective Rights Results

Depending on the options specified, an effective rights request returns the following information:

Rights Information

The effective rights information is presented according to the following subtypes:

aclRights;entrylevel - Presents entry-level rights information

aclRights;attributelevel - Presents attribute-level rights information

aclRightsInfo;entrylevel - Presents entry-level logging information

aclRightsInfo;attributelevel - Presents attribute-level logging information

The format of the aclRights string is as follows:

aclRights;entryLevel: permission:value(permission:value)*

and

aclRights;attributeLevel: permission:value(permission:value)*

The possible entry-level permissions are add, delete, read, write, and proxy. The possible values for each permission are 0 (permission not granted) and 1 (permission granted).

Entry-level Permission
Explanation
add and delete
The ability of a user to add and delete the entire entry.
read
The ability of a user to read and search attributes in the entry.
write
The ability of a user to add, delete, and replace attribute values in the entry.
proxy
The ability of a user to access the directory with the rights of the entry.

Note - For information about assigning these permissions in an ACI, see ACI Syntax in Sun OpenDS Standard Edition 2.2 Architectural Reference.

The possible attribute-level permissions are read, search, compare, write, selfwrite_add, selfwrite_delete, and proxy. The possible values for each permission are 0 (permission not granted) and 1 (permission granted). For the case of the write permission, the value of "?" is also permitted.

Attribute-level Permission
Explanation
read
The ability of a user to read the attribute value in the entry.
search
The ability of a user to search the attribute value in the entry.
compare
The ability of a user to compare the attribute value in the entry with a value that is provided by the user.
write
The ability of a user to add, delete, and replace the attribute value in the entry. This applies to all attributes except the authorization dn.
selfwrite_add
The ability of a user to add the attribute, authorization dn.
selfwrite_delete
The ability of a user to delete the attribute, authorization dn.
proxy
The ability of a user to access the directory with the rights of the attribute in the entry.

Note - The write, selfwrite_add, and selfwrite_delete permissions are particularly complex. If you see a "?", consult the logging information to establish why the permissions will or will not be granted. For more information, see Table 3.

The format of the aclRightsInfo string is as follows:

aclRightsInfo;logs;entryLevel;permission: acl_summary(main):permission-string

and

aclRightsInfo;logs;attributeLevel;permission;attribute: acl_summary(main):permission-string

The entry-level and attribute-level permissions are described in the preceding section.

The permission-string contains detailed information about the effective rights at the entry-level and attribute-levels.

write, selfwrite_add, and selfwrite_delete Permissions

The attribute-level permission for write can be either 0, 1, or "?". Only write attribute-level permissions can have a value of "?", which usually results from a targattrfilters ACI component. For add and delete permissions, the entries that can be modified depend on the values of the attributes in the entry. Only the permission, 0 or 1, is returned on the entries as they are returned with the ldapsearch operation.

For all attribute values except the authorization dn, if the value for a write permission is 1, the permission is granted for both add and delete. Similarly, for all attribute values except the authorization dn, a value of 0 for a write permission means that the permission is not granted for either add or delete ldapmodify operations. The permission in force for the value of the authorization dn is returned explicitly in one of the selfwrite permissions, that is, either selfwrite_add or selfwrite_delete.

Although selfwrite_add and selfwrite_delete attribute-level permissions do not exist in the context of ACIs, a set of ACIs can grant a user selfwrite permission for just the add or just the delete part of a modify operation. For selfwrite permissions, the value of the attribute being modified is the authorization dn. The same distinction is not made for write permissions because the value of the attribute being modified for a write permission is undefined.

When the effective permission depends on a targattrfilters ACI, the "?" value indicates that the logging information should be consulted for more permission detail. Given the relative complexity of the interdependencies between the write, selfwrite_add, and selfwrite_delete permissions, The following table explains what the possible combinations of these three permissions mean.

The following table outlines the interdependencies of the various effective rights values.

Table 3
Effective Rights Permission Interdependencies
write
selfwrite_add
selfwrite_delete
Effective Rights Explanation
0
0
0
Cannot add or delete any values of this attribute.
0
0
1
Can only delete the value of the authorization dn.
0
1
0
Can only add the value of the authorization dn.
0
1
1
Can only add or delete the value of the authorization dn.
1
0
0
Can add or delete all values except the authorization dn.
1
0
1
Can delete all values including the authorization dn and can add all values excluding the authorization dn.
1
1
0
Can add all values including the authorization dn and can delete all values excluding the authorization dn.
1
1
1
Can add or delete all values of this attribute.
?
0
0
Cannot add or delete the authorization dn value, but might be able to add or delete other values. Refer to logging information for further details regarding the write permission.
?
0
1
Can delete but cannot add the value of the authorization dn, and might be able to add or delete other values. Refer to logging information for further details regarding the write permission.
?
1
0
Can add but cannot delete the value of the authorization dn and might be able to add or delete other values. Refer to logging information for further details regarding the write permission.
1
?
1
Can add and delete the value of the authorization dn and might be able to modify add, modify, or delete other values. Refer to logging information for further details regarding the write permission.
Logging Information

The effective rights logging information enables you to understand and debug access control difficulties. The logging information contains an access control summary statement, called the acl_summary, that indicates why access control has been allowed or denied. The access control summary statement includes the following information:

The following table lists the effective rights logging information reasons and their explanations.

Table 4
Effective Rights Logging Information Reasons and Their Explanations
Logging Information Reason
Explanation
no reason available
No reason available to explain why access was allowed or denied.
no allow acis
No allow ACIs exist, which results in denied access.
result cached deny
Cached information was used to determine the access denied decision.
result cached allow
Cached information was used to determine the access allowed decision.
evaluated allow
An ACI was evaluated to determine the access allowed decision. The name of the ACI is included in the log information.
evaluated deny
An ACI was evaluated to determine the access denied decision. The name of the ACI is included in the log information.
no acis matched the resource
No ACIs match the resource or target, which results in denied access.
no acis matched the subject
No ACIs match the subject requesting access control, which results in denied access.
allow anyone aci matched anon user
An ACI with a userdn = "ldap:///anyone" subject allowed access to the anonymous user.
no matching anyone aci for anon user
No ACI with a userdn= "ldap:///anyone" subject was found, so access for the anonymous user was denied.
user root
The user is root DN and is allowed access.

Note - Write permissions for virtual attributes are not provided, nor is any associated logging evaluation information, because virtual attributes cannot be updated.

Legal Copyright 1994-2009 Sun Microsystems, Inc.
Previous Next