Exit Print View

Sun OpenDS Standard Edition 2.0 Administration Guide

Get PDF Book Print View

Document Information

Configuring the Directory Server

Configuring Security in the Directory Server

Managing Directory Data

Controlling Access To Data

Managing Global ACIs With dsconfig

Default Global ACIs

To Display the Global ACIs

To Delete a Global ACI

To Add a Global ACI

Managing ACIs With ldapmodify

To View ACI Attribute Values

To Add an ACI

To Remove an ACI

Access Control Usage Examples

Disabling Anonymous Access

Granting Write Access to Personal Entries

Granting a Group Full Access to a Suffix

Granting Rights to Add and Delete Group Entries

Allowing Users to Add or Remove Themselves From a Group

Granting Conditional Access to a Group

Denying Access

Defining Permissions for DNs That Contain a Comma

Proxy Authorization ACIs

Viewing Effective Rights

The Get Effective Rights Control

Using the Get Effective Rights Control

Understanding Effective Rights Results

Restricting Access to the Get Effective Rights Control

Replicating Data

Managing Users and Groups

Directory Server Monitoring

Improving Performance

Advanced Administration

Controlling Access To Data

Controlling access to directory contents is an integral part of creating a secure directory. Access to data is managed with access control instructions (ACIs) that specify the access right to individual entries, all sub-entries below an entry, or all entries on a global basis.

Numerous or complicated ACIs require greater processing resources than a few simple ACIs. You can significantly reduce the performance of your directory by specifying a large number of ACIs or extremely complicated ACIs.

The directory server includes the ability to view the effective rights of a given user for a given entry. This feature simplifies the administration of the complex and powerful access control mechanism.

For an overview of the ACI model, see Access Control Principles in Sun OpenDS Standard Edition 2.0 Architectural Reference.

The following sections describe how to create ACIs to control access to data: