test

Technical Note: Sun Java System Access Manager ACI Guide

ACI Descriptions

Top-Level Admin Role ACIs

ACI 1:

aci: (target="ldap:///ROOT_SUFFIX")
(targetattr="*") (version 3.0; acl "S1IS Top-level admin rights"; allow (all) 
roledn = "ldap:///cn=Top-level Admin Role,ROOT_SUFFIX"; )

Members of this specific role (cn=Top-level Admin Role) have all rights to all entries of the targeted resource ROOT_SUFFIX. The Top-Level Admin Role members can delete/read/modify/write to or from all entries under the top node. ROOT_SUFFIX is the root node.

ACI 2:

aci: (target="ldap:///cn=amldapuser,ou=DSAME Users,ORG_ROOT_SUFFIX")
(targetattr = "*") (version 3.0; acl "S1IS special ldap auth user modify right"; 
deny (write) roledn !="ldap:///cn=Top-level Admin Role,ROOT_SUFFIX";)

Members of this specific role (cn=Top-level Admin Role) can modify/write all entries of the targeted resource, (cn=amldapuser). In other words:

Top-Level Help Desk Admin Role ACIs

ACI 1:

aci: (target="ldap:///ROOT_SUFFIX")
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX)))
(targetattr= "*") (version 3.0; acl "S1IS Top-level Help Desk Admin Role access allow";
allow (read,search) roledn = "ldap:///cn=Top-level Help Desk Admin Role,ROOT_SUFFIX";)

Members with Top-level Help Desk Admin role:

ACI 2:

aci: (target="ldap:///ROOT_SUFFIX")
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX)))
(targetattr= "userPassword") 
(version 3.0; acl "S1IS Top-level Help Desk Admin Role access allow"; allow (write) 
roledn ="ldap:///cn=Top-level Help Desk Admin Role,ROOT_SUFFIX";)

Members with Top-Level Help Desk Admin role:

Top-Level Policy Admin Role ACIs

ACI 1:

aci: (target="ldap:///ROOT_SUFFIX")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX))))
(targetattr = "*") (version 3.0; acl "S1IS Top-level Policy Admin Role access allow";
allow (read,search) roledn = "ldap:///cn=Top-level Policy Admin Role,ROOT_SUFFIX";)

Members with Top-level Policy Admin role:

ACI 2:

aci: (target="ldap:///ou=iPlanetAMAuthService,ou=services,*ROOT_SUFFIX")
(targetattr = "*") 
(version 3.0; acl "S1IS Top-level Policy Admin Role access Auth Service deny"; 
deny(add,write,delete) 
roledn = "ldap:///cn=Top-level Policy Admin Role,ROOT_SUFFIX";)

Members with Top-Level Policy Admin role do not have permissions to add, write, or delete all the entries under the authentication service. This authentication service iPlanetAMAuthService is in the services node of the default organization (root suffix node). This ACI will also be enforced in the sub-organizations created under the default organization.

ACI 3:

aci: (target="ldap:///ou=services,*ROOT_SUFFIX")(targetattr = "*") 
(version 3.0; acl "S1IS Top-level Policy Admin Role access allow"; allow (all) 
roledn = "ldap:///cn=Top-level Policy Admin Role,ROOT_SUFFIX";)

Members with Top-Level Policy Admin role have all permissions to read, modify, search, add, write, or delete to all the entries of all services under the default organization (root suffix node). But based on the ACI #2 above, this Top-Level Policy Admin does not have add, write, or delete permissions for authentication service. This ACI will also be enforced in the sub-organizations created under the default organization.

ACI 4:

aci:(target="ldap:///ROOT_SUFFIX")
(targetfilter="(objectclass=ORG_OBJECT_CLASS)") 
(targetattr = "sunRegisteredServiceName") (version 3.0; 
acl "S1IS Top-level Policy Admin Role access allow"; allow (read,write,search) 
roledn = "ldap:///cn=Top-level Policy Admin Role,ROOT_SUFFIX";)

Members with Top-Level Policy Admin role have permissions to read, write, or search the attribute sunRegisteredServicename of all entries with the object class that matches the ORG_OBJECT_CLASS.

For example:

aci: (target="ldap:///dc=iplanet,dc=com")
(targetfilter="(objectclass=sunmanagedorganization)")
(targetattr = "sunRegisteredServiceName") (version 3.0; 
acl "S1IS Top-level Policy Admin Role access allow"; allow (read,write,search) 
roledn = "ldap:///cn=Top-level Policy Admin Role,dc=iplanet,dc=com";)

Organization Admin Role ACIs

ACI 1:

aci: (target="ldap:///($dn),ROOT_SUFFIX")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Help Desk Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Policy Admin Role,ROOT_SUFFIX))))
(targetattr != "nsroledn")(version 3.0; 
acl "S1IS Organization Admin Role access allow all";
 allow (all) roledn = "ldap:///cn=Organization Admin Role,[$dn],ORG_ROOT_SUFFIX";)

This ACI gives all permissions to the members who belong to the Organization Admin Role. Members of Organization Admin Role have 'all' permissions to all the entries and attributes for that organization on the organization entry. But the 'all' access is not applied to the nsroledn attribute where the values are Top-level Admin Role, Top-level Help Desk Admin Role, Top-level Policy Admin Role.

In other words, members of Organization Admin Role cannot read, write, delete, modify, or searchthe directory entries of Top-level Admin, Top-level Help Desk Admin, and Top-level Policy Admin. But members of Organization Admin Role have permission to modify the nsroledn attribute in their own profiles; however, they cannot assign the following values to the nsroledn attribute:

ACI 2:

aci: (target="ldap:///cn=Organization Admin Role,($dn),ORG_ROOT_SUFFIX")
(targetattr="*")(version 3.0; acl "S1IS Organization Admin Role access deny"; 
deny (write,add,delete,compare,proxy)
 roledn = "ldap:///cn=Organization Admin Role,($dn),ORG_ROOT_SUFFIX";)

Members of Organization Admin Role are denied write, add, delete, compare, or proxy permissions to all the attributes for that organization admin role entry.

Organization Help Desk Admin Role ACIs

ACI 1:

aci: (target="ldap:///ROOT_SUFFIX")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Help Desk Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Policy Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Organization Admin Role,ORG_ROOT_SUFFIX))))(targetattr = "*")
(version 3.0; acl "S1IS Organization Help Desk Admin Role access allow"; 
allow (read,search) 
roledn = "ldap:///cn=Organization Help Desk Admin Role,ORG_ROOT_SUFFIX";)

Members of Organization Help Desk Admin Role:

ACI 2:

aci: (target="ldap:///ROOT_SUFFIX")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Help Desk Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Policy Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Organization Admin Role,ORG_ROOT_SUFFIX))))
(targetattr = "userPassword") 
(version 3.0; acl "S1IS Organization Help Desk Admin Role access allow"; 
allow (write) roledn = "ldap:///cn=Organization Help Desk Admin Role,ORG_ROOT_SUFFIX";)

Members of Organization Help Desk Admin Role:

Container Admin Role ACIs

ACI 1:

aci: (target="ldap:///($dn),ROOT_SUFFIX")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Help Desk Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Policy Admin Role,ROOT_SUFFIX))))
(targetattr != "nsroledn")(version 3.0; acl "S1IS Container Admin Role access allow"; 
allow (all) roledn = "ldap:///cn=Container Admin Role,[$dn],ORG_ROOT_SUFFIX";)

This ACI gives 'all' permissions to the members who belong to the Container Admin Role. Therefore, members of Container Admin Role have 'all' permissions to all the entries and attributes for that sub-organization on the sub-organization entry. But the 'all' access is not applicable to the nsrolednattribute, if the values for nsroledn are one or more of the following:

In other words, members of Container Admin Role cannot read, write, delete, modify, or search the directory entries of members belonging to the above-listed roles. However, members of Container Admin Role have permissions to modify the nsroledn attribute in their own profiles.

ACI 2:

aci: (target="ldap:///cn=Container Admin Role,($dn),ORG_ROOT_SUFFIX")
(targetattr="*")(version 3.0; acl "S1IS Container Admin Role access deny"; 
deny (write,add,delete,compare,proxy) 
roledn = "ldap:///cn=Container Admin Role,($dn),ORG_ROOT_SUFFIX";)

This ACI is for Container Admin Role. Members of Container Admin Role are denied write, add, delete, compare, and proxy permissions to all the attributes for that container/sub-organization admin role entry.

Deny Write Access Role ACIs

ACI 1:

aci: (targetattr = "*")
(version 3.0; acl "S1IS Deny write to anonymous user"; deny (add,write,delete) 
roledn ="ldap:///cn=Deny Write Access,ROOT_SUFFIX";)

Members of the Deny Write Access role (that is, anonymous users) do not have add, write, or delete rights to all entries under the root suffix. Anonymous users are allowed only to search and read entries.

User ACIs

ACI 1:

aci: (targetattr = "objectclass  || inetuserstatus || iplanet-am-user-login-status 
|| iplanet-am-web-agent-access-allow-list || iplanet-am-domain-url-access-allow 
|| iplanet-am-web-agent-access-deny-list || iplanet-am-user-account-life 
|| iplanet-am-session-max-session-time || iplanet-am-session-max-idle-time 
|| iplanet-am-session-get-valid-sessions || iplanet-am-session-destroy-sessions 
|| iplanet-am-session-add-session-listener-on-all-sessions 
|| iplanet-am-user-admin-start-dn || iplanet-am-auth-post-login-process-class")
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX)))
(version 3.0; acl "S1IS User status self modification denied"; 
deny (write) userdn="ldap:///self";)

This ACI specifically prevents users from writing or modifying certain attributes (mentioned in the target attribute of the ACI) to their own directory entry. Of course, if these entries needed to be modified, an Admin user would be able to do it.

ACI 2:

aci: (targetattr != "iplanet-am-static-group-dn  || uid || nsroledn || aci 
|| nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || memberOf 
|| iplanet-am-web-agent-access-allow-list || iplanet-am-domain-url-access-allow 
|| iplanet-am-web-agent-access-deny-list")
(version 3.0; acl "S1IS Allow self entry modification except for nsroledn, aci, 
and resource limit attributes"; allow (write)userdn ="ldap:///self";)

This ACI specifically prevents users from writing or modifying certain attributes to their own directory entry. But the Organization Admin Role ACIs defined override this ACI and allows self modification of the nsroledn attribute, so that administrators can assign themselves certain service roles and lesser or equal privileged admin roles. This is because the current ACIs prevent the organization admin from assigning the top-level admin roles.

ACI 3:

aci: (targetattr != "aci  || nsLookThroughLimit || nsSizeLimit  || nsTimeLimit 
|| nsIdleTimeout  || iplanet-am-domain-url-access-allow") (version 3.0; 
acl "S1IS Allow self entry read search except for nsroledn, aci, resource limit 
and web agent policy attributes"; allow (read,search)userdn ="ldap:///self";)

This ACI specifically allows users to read or search certain attributes from their own directory entry. But this ACI does not allow the following target attributes to be read by the users in their own directory entries: aci, nsLookThroughLimit, nsSizeLimit, nsTimeLimit, nsIdleTimeout, and iplanet-am-domain-url-access-allow.

ACI 4:

aci: (targetattr = "*")(version 3.0; 
acl "S1IS Deny deleting self"; deny (delete) userdn  ="ldap:///self";)

This ACI specifically prevents users from deleting all attributes from their own directory entries.

Miscellaneous ACIs

ACI 1:

aci: (target="ldap:///cn=schema")(targetattr="*")
(version 3.0; acl "S1IS Proxy user rights"; allow (proxy) 
userdn = "ldap:///cn=puser,ou=DSAME Users,ORG_ROOT_SUFFIX"; )

This ACI states that the DN cn=puser has proxy rights to access the target directory entry that contains all the schema information for the server (that is cn=schema). It has the rights of Directory Manager entry (cn=Directory Manager) to do this. (Only Directory Manager has write permission on the schema and no other user has write permission on the schema.)

In other words, the proxy user DN (cn=puser) gains access to the cn=schema subtree using the same access permissions as the Directory Manager. With this ACI in place, the puser can bind to the directory and send an LDAP command such as ldapsearch or ldapmodify that requires the access rights of the Directory Manager.

ACI 2:

aci: (target="ldap:///ROOT_SUFFIX")(targetattr="*")
(version 3.0; acl "S1IS Proxy user rights"; allow (proxy) 
userdn = "ldap:///cn=puser,ou=DSAME Users,ORG_ROOT_SUFFIX"; )

This ACI states that the DN cn=puser has proxy rights to access the target directory entry which is the top organization or root node. It has the rights of Directory Manager entry (cn=Directory Manager) to do this. In other words, the proxy user DN (cn=puser) gains access to the top organization or root node using the same access permissions as the Directory Manager. With this ACI in place, the puser can bind to the directory and send an LDAP command such as ldapsearch or ldapmodify that requires the access rights of the Directory Manager.

ACI 3:

aci: (target="ldap:///ROOT_SUFFIX")
(targetattr="*")(version 3.0; acl "S1IS special ldap  auth user rights"; 
allow (read,search) userdn = "ldap:///cn=amldapuser,ou=DSAME Users,ORG_ROOT_SUFFIX"; )

This ACI states that the DN cn=amldapuser has only read and search rights to all entries under the target directory entry as well the target directory entry which is the top organization or root node. In other words, the amldapuser DN (cn=amldapuser) has read and search rights to the targeted entry. amldapuser is the bind DN user for LDAP Authentication, Membership, and Policy services. This user has read and search access to all Directory Server entries.

ACI 4:

aci: (target="ldap:///ROOT_SUFFIX") (targetattr="*")
(version 3.0; acl "S1IS special dsame  user rights for all under the root suffix"; 
allow (all) userdn = "ldap:///cn=dsameuser,ou=DSAME Users,ORG_ROOT_SUFFIX"; )

This ACI states that the DN cn=dsameuser has all rights to access all entries under the target directory entry as well the target directory entry which is the top organization or root node. In other words, the dsameuser DN (cn=dsameuser) has all rights (read, write, search, delete, compare, and selfwrite) to the targeted entry, except proxy rights. dsameuser retrieves the LDAP configuration (for users, organizations, policies, services, agents, etc.) for the Access Manager SDK. The Directory Server administrator (by default uid=admin,ou=Administrators, ou=TopologyManagement,o=NetscapeRoot ) has all rights except proxy rights.

ACI 5:

aci: (targetattr="iplanet-am-saml-user  || iplanet-am-saml-password")
(targetfilter="(objectclass=iplanet-am-saml-service)")(version 3.0; 
acl "S1IS Right to modify saml  user and password"; deny (all) 
(roledn != "ldap:///cn=Top-level Admin Role,ROOT_SUFFIX") 
AND (userdn  != "ldap:///cn=dsameuser,ou=DSAME Users,ORG_ROOT_SUFFIX") 
AND (userdn != "ldap:///cn=puser,ou=DSAME Users,ORG_ROOT_SUFFIX"); )

Only special users (such as dsameuser, proxyuser, or top-level admin) can configure the SAML service at the global level. SAML service attributes and values are added as key/value pair for the trusted partners Trusted Partner Sites in the console using the edit button and the passwords are not encrypted. Liberty and SAML does not want all users to see the values in clear text. This ACI denies access to SAML Service for all users but gives permission to members who belong to the Top-Level Admin role and puser and dsameuser.

ACI 6:

aci: (target="ldap:///ou=services,ROOT_SUFFIX")
(targetfilter=(!(objectclass=sunServiceComponent)))
(targetattr = "*")(version 3.0; acl "S1IS Services anonymous access"; 
allow (read, search, compare) userdn = "ldap:///anyone";)

This ACI allows anyone anonymous read, search, and compare access to the Service Schema, which is defined under the ou=services node of the tree. But this ACI does not allow anyone read, search, or compare access to the Service Configuration entries (Deny if objectclass=sunServiceComponent. That is, deny access to Service Configuration).

ACI 7:

aci: (target="ldap:///ou=iPlanetAMAdminConsoleService,*,ROOT_SUFFIX")
(targetattr = "*")(version 3.0; acl "S1IS iPlanetAMAdminConsoleService  
anonymous access"; allow (read, search, compare) userdn  = "ldap:///anyone";)

This ACI allows anonymous read, search, and compare access to all the attributes under ou=iPlanetAMAdminConsoleService node of the tree. In an Access Manager 6 2005Q1 (6.3) and Access Manager 7 2005Q4 Legacy Mode installation, the console service (iPlanetAMConsoleService) can be under any Organization, and it is not restricted to be only under the root suffix. This ACI facilitates the privilege of reading this service for any Organization.

Important: Consider the potential performance impact of evaluation of this ACI.

ACI 8:

aci: (target="ldap:///cn=Top-level Admin Role,ROOT_SUFFIX")
(targetattr="*")(version 3.0; acl "S1IS Top-level admin delete right denied"; 
deny (delete) userdn = "ldap:///anyone"; )

Any user or users with anonymous access cannot delete the members of Top-Level Admin Role.

ACI 9:

aci: (target="ldap:///ROOT_SUFFIX")
(targetfilter=(entrydn=ORG_ROOT_SUFFIX))(targetattr="*")
(version 3.0; acl "S1IS Default Organization delete right denied"; 
deny (delete) userdn = "ldap:///anyone"; )

Any user or users with anonymous access cannot delete the top level default organization.