Sun Java System Delegated Administrator 6.4 Administration Guide

Original Anonymous Access Rights

aci:
(targetattr != “userPassword || passwordHistory || passwordExpirationTime
|| passwordExpWarned || passwordRetryCount || retryCountResetTime ||
accountUnlockTime || passwordAllowChangeTime “)
(version 3.0; acl “Anonymous access”;
allow (read, search, compare)
userdn = “ldap:///anyone”;)

aci:
(target=”ldap:///cn=Top-level Admin Role,$rootSuffix”)
(targetattr=”*”)
version 3.0; acl “S1IS Top-level admin delete right denied”;
deny (delete)
userdn = “ldap:///anyone”; )


aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(entrydn=$rootSuffix))
(targetattr=”*”)
(version 3.0; acl “S1IS Default Organization delete right denied”;
deny (delete)
userdn = “ldap:///anyone”; )


aci:
(target=”ldap:///ou=services,$rootSuffix”)
(targetfilter=(!(objectclass=sunServiceComponent)))
(targetattr = “*”)
(version 3.0; acl “S1IS Services anonymous access”;
allow (read, search, compare)
userdn = “ldap:///anyone”;)


aci:
(target=”ldap:///ou=iPlanetAMAdminConsoleService,*,$rootSuffix”)
(targetattr = “*”)
(version 3.0; acl “S1IS iPlanetAMAdminConsoleService anonymous access”;
allow (read, search, compare)
userdn = “ldap:///anyone”;)

Consolidated Anonymous Access Rights

aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(objectclass=sunServiceComponent)))
(targetattr != “userPassword||passwordHistory
||passwordExpirationTime||passwordExpWarned||passwordRetryCount
||retryCountResetTime||accountUnlockTime||passwordAllowChangeTime”)
(version 3.0; acl “anonymous access rights”;
allow (read,search,compare)
userdn = “ldap:///anyone”; )

Analysis: This ACI, which is on the root, allows the same access as the original collection of anonymous ACIs. It does this by listing a set of excluded attributes. This replacement ACI improves performance by eliminating the (*) in the target.

Original Self Acis

aci:
(targetattr != “nsroledn || aci || nsLookThroughLimit || nsSizeLimit ||
nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ||
passwordExpirationTime
|| passwordExpWarned || passwordRetryCount || retryCountResetTime ||
accountUnlockTime || passwordHistory || passwordAllowChangeTime”)
(version 3.0; acl “Allow self entry modification except for nsroledn, aci,
resource limit attributes, passwordPolicySubentry and password policy
state attributes”;
allow (write)
userdn =”ldap:///self”;) 


aci:
(targetattr = “*”)
(version 3.0; acl “S1IS Deny deleting self”;
deny (delete)
userdn =”ldap:///self”;) 


aci:
(targetattr = “objectclass || inetuserstatus ||
planet-am-web-agent-access-allow-list
|| iplanet-am-domain-url-access-allow 
|| iplanet-am-web-agent-access-deny-list
|| iplanet-am-user-account-life || iplanet-am-session-max-session-time
|| iplanet-am-session-max-idle-time 
|| iplanet-am-session-get-valid-sessions
|| iplanet-am-session-destroy-sessions 
|| iplanet-am-session-add-session-listener-on-all-sessions
|| iplanet-am-user-admin-start-dn 
|| iplanet-am-auth-post-login-process-class”)
(targetfilter=(!(nsroledn=cn=Top-levelAdmin Role,$rootSuffix)))
(version 3.0; acl “S1IS User status self modification denied”;
deny (write)
userdn =”ldap:///self”;) 


aci:
(targetattr != “iplanet-am-static-group-dn || uid || nsroledn || aci 
|| LookThroughLimit
|| nsSizeLimit || nsTimeLimit || nsIdleTimeout || memberOf ||
planet-am-web-agent-access-allow-list
|| iplanet-am-domain-url-access-allow ||
planet-am-web-agent-access-deny-list”)
(version 3.0; acl “S1IS Allow self entry modification except 
for nsroledn, aci, and resource limit attributes”;
allow (write)
userdn =”ldap:///self”;) 


aci:
(targetattr != “aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit
|| nsIdleTimeout || iplanet-am-domain-url-access-allow”)
(version 3.0; acl “S1IS Allow self entry read search except for 
nsroledn, aci, resource limit and web agent policy attributes”;
allow (read,search)
userdn =”ldap:///self”;) 


aci:
(targetattr=”uid||ou||owner||mail||mailAlternateAddress
||mailEquivalentaddress||memberOf
||inetuserstatus||mailuserstatus||memberOfManagedGroup||mailQuota
||mailMsgQuota
||inetSubscriberAccountId||dataSource||mailhost||mailAllowedServiceAccess
||pabURI||inetCOS||mailSMTPSubmitChannel||aci”)
(targetfilter=(&(objectClass=inetMailUser)(!(nsroledn=cn=Organization Admin
role,*))))
(version 3.0; acl “Deny write access to users over Messaging Server 
protected attributes -
product=SOMS,schema 2 support,class=installer,num=3,version=1 “;
deny (write)
userdn = “ldap:///self”;)

Consolidated Self Acis

aci:
(targetattr != “nsroledn || aci || nsLookThroughLimit || nsSizeLimit
|| nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ||
asswordExpirationTime
|| passwordExpWarned || passwordRetryCount || retryCountResetTime
|| accountUnlockTime || passwordHistory || passwordAllowChangeTime ||
id || memberOf
|| objectclass || inetuserstatus || ou || owner || mail || mailuserstatus
|| memberOfManagedGroup ||mailQuota || mailMsgQuota || mailhost
|| mailAllowedServiceAccess || inetCOS || mailSMTPSubmitChannel”)
(version 3.0; acl “Allow self entry modification”;
allow (write)
userdn =”ldap:///self”;) 


aci:
(targetattr != “ aci || nsLookThroughLimit || nsSizeLimit
|| nsTimeLimit|| nsIdleTimeout”)
(version 3.0; acl “Allow self entry read search”;
allow(read,search)
userdn =”ldap:///self”;)

Analysis: Missing all the iplanet-am-* attributes. Since deny is the default if an ACI is not present, all deny ACIs are removed. The ones that allow write are consolidated into a single ACI.

Original Messaging Server ACIs

aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “Messaging Server End User Administrator Read 
Access Rights -
product=SOMS,schema 2 support,class=installer,num=1,version=1”;
allow (read,search)
groupdn=”ldap:///cn=Messaging End User Administrators Group, ou=Groups,
rootSuffix”;) 


aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”objectclass||mailalternateaddress||mailautoreplymode||
mailprogramdeliveryinfo
||nswmextendeduserprefs||preferredlanguage||maildeliveryoption||
mailforwardingaddress
||mailAutoReplyTimeout||mailautoreplytextinternal||mailautoreplytext||
vacationEndDate
||vacationStartDate||mailautoreplysubject||pabURI||maxPabEntries||
mailMessageStore
||mailSieveRuleSource||sunUCDateFormat||sunUCDateDeLimiter||
sunUCTimeFormat”)
(version 3.0; acl “Messaging Server End User Adminstrator Write 
Access Rights -
product=SOMS,schema 2 support,class=installer,num=2,version=1”;
allow (all)
groupdn=”ldap:///cn=Messaging End User Administrators Group, ou=Groups,
rootSuffix”;) 


aci:
(targetattr=”uid||ou||owner||mail||mailAlternateAddress||
mailEquivalentAddress||memberOf
||inetuserstatus||mailuserstatus||memberOfManagedGroup||mailQuota||
mailMsgQuota
||inetSubscriberAccountId||dataSource||mailhost||mailAllowedServiceAccess
||pabURI||inetCOS||mailSMTPSubmitChannel||aci”)
(targetfilter=(&(objectClass=inetMailUser)(!(nsroledn=cn=Organization Admin
Role,*))))
(version 3.0; acl “Deny write access to users over Messaging Server
protected attributes - 
product=SOMS,schema 2 support,class=installer,num=3,version=1 “;
deny (write)
userdn = “ldap:///self”;)

Consolidated Messaging Server ACIs

The self ACI is handled in the self ACIs.

aci:
(targetattr=”*”)
(version 3.0; acl “Messaging Server End User Administrator 
Read Only Access”;
allow (read,search)
groupdn = “ldap:///cn=Messaging End User Administrators
group,ou=Groups,$rootSuffix”; ) 


aci:
(targetattr=”objectclass || mailalternateaddress || Mailautoreplymode 
|| mailprogramdeliveryinfo || preferredlanguage || maildeliveryoption
|| mailforwardingaddress || mailAutoReplyTimeout 
|| mailautoreplytextinternal
|| mailautoreplytext || vacationEndDate || vacationStartDate
|| mailautoreplysubject || maxPabEntries || mailMessageStore
|| mailSieveRuleSource || sunUCDateFormat || sunUCDateDeLimiter
|| sunUCTimeFormat || mailuserstatus || maildomainstatus
|| nswmextendeduserprefs || pabURI”)
(version 3.0; acl “Messaging Server End User Administrator All Access”;
allow (all)
groupdn = “ldap:///cn=Messaging End User Administrators
group,ou=Groups,$rootSuffix”;)

Analysis: Same as the original ACIs.

Original Organization Admin ACIs

aci: (different name - “allow all” instead of “allow”)
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “S1IS Organization Admin Role access allow all”;
allow (all)
roledn =”ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;) 


aci: (missing)
(target=”ldap:///($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “Organization Admin Role access allow read to org node”;
allow (read,search)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix” ;) 


aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “Organization Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;) 


aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetattr!=”businessCategory || description || facsimileTelephoneNumber
|| postalAddress || preferredLanguage || searchGuide || postOfficeBox 
|| postalCode
|| registeredaddress || street || l || st || telephonenumber 
|| maildomainreportaddress
|| maildomainwelcomemessage || preferredlanguage || sunenablegab”)
(version 3.0; acl “Organization Admin Role access deny to org node”;
deny (write,add,delete)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix” ;) 


aci: (duplicate of per organization aci)
(target=”ldap:///cn=Organization Admin Role,($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Organization Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;)


aci:
(target=”ldap:///cn=Organization Admin
Role,($dn),dc=red,dc=iplanet,dc=com”)
(targetattr=”*”)
(version 3.0; acl “S1IS Organization Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;)


aci:
(target=”ldap:///o=fullOrg1,o=VIS,o=siroe.com,o=SharedDomainsRoot,
o=Business,rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,dc=red,dc=iplanet,dc=com))))
(targetattr = “nsroledn”)
(targattrfilters=”add=nsroledn:(nsroledn=*,o=fullOrg1,o=VIS,o=siroe.com,
o=SharedDomainsRoot,o=Business,$rootSuffix),
del=nsroledn:(nsroledn=*,o=fullOrg1,o=VIS,o=siroe.com,o=SharedDomainsRoot,
o=Business,$rootSuffix)”)
(version 3.0;
acl “S1IS Organization Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Organization Admin
Role,o=fullOrg1,o=VIS,o=siroe.com,o=SharedDomainsRoot,o=Business,
$rootSuffix”;)


aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “S1IS Organization Admin Role access allow all”;
allow (all)
roledn = “ldap:///cn=Organization Admin
Role,[$dn],dc=red,dc=iplanet,dc=com”;)

Consolidated Organization Admin ACIs

aci:
(target=”ldap:///cn=Organization Admin Role,($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Organization Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;)


aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “Organization Admin Role access allow read”;
allow(read,search)
roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix” ;)


aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(entrydn=($dn),$rootSuffix))))
( targetattr = “*”)
(version 3.0; acl “S1IS Organization Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;)