The following ACIs in the remacis.ldif file are removed by the amtune-directory script when Access Manager is installed in Realm Mode:
ACI 1:
aci: (target="ldap:///ROOT_SUFFIX") (targetfilter=(entrydn=ORG_ROOT_SUFFIX))(targetattr="*") (version 3.0; acl "S1IS Default Organization delete right denied"; deny (delete) userdn = "ldap:///anyone"; )
ACI 2:
aci: (target="ldap:///ROOT_SUFFIX") (targetfilter=(!(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX)))(targetattr = "*") (version 3.0; acl "S1IS Top-level Help Desk Admin Role access allow"; allow (read,search) roledn = "ldap:///cn=Top-level Help Desk Admin Role,ROOT_SUFFIX";)
ACI 3:
aci: (target="ldap:///ROOT_SUFFIX") (targetfilter=(!(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX))) (targetattr = "userPassword") (version 3.0; acl "S1IS Top-level Help Desk Admin Role access allow"; allow (write) roledn = "ldap:///cn=Top-level Help Desk Admin Role,ROOT_SUFFIX";)
ACI 4:
aci: (target="ldap:///ROOT_SUFFIX") (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX))))(targetattr = "*") (version 3.0; acl "S1IS Top-level Policy Admin Role access allow"; allow (read,search) roledn = "ldap:///cn=Top-level Policy Admin Role,ROOT_SUFFIX";)
ACI 5:
aci: (target="ldap:///ou=iPlanetAMAuthService,ou=services,*ROOT_SUFFIX") (targetattr = "*") (version 3.0; acl "S1IS Top-level Policy Admin Role access Auth Servi ce deny"; deny (add,write,delete) roledn = "ldap:///cn=Top-level Policy Admin Role,ROOT_SUFFIX";)
ACI 6:
aci: (target="ldap:///ou=services,*ROOT_SUFFIX") (targetattr = "*") (version 3.0; acl "S1IS Top-level Policy Admin Role access allow"; allow (all) roledn = "ldap:///cn=Top-level Policy Admin Role,ROOT_SUFFIX";)
ACI 7:
aci: (target="ldap:///ROOT_SUFFIX") (targetfilter="(objectclass=ORG_OBJECT_CLASS)") (targetattr = "sunRegisteredServiceName") (version 3.0; acl "S1IS Top-level Policy Admin Role access allow"; allow (read,write,search) roledn = "ldap:///cn=Top-level Policy Admin Role,ROOT_SUFFIX";)
ACI 8:
aci: (targetattr != "aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || iplanet-am-domain-url-access-allow") (version 3.0; acl "S1IS Allow self entry read search except for nsroledn, aci, resource limit and web agent policy attributes"; allow (read,search)userdn ="ldap:///self";)
ACI 9:
aci: (target="ldap:///ou=iPlanetAMAdminConsoleService,*,ROOT_SUFFIX") (targetattr = "*")(version 3.0; acl "S1IS iPlanetAMAdminConsoleService anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
ACI 10:
aci: (target="ldap:///($dn),ROOT_SUFFIX") (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX) (nsroledn=cn=Top-level Help Desk Admin Role,ROOT_SUFFIX) (nsroledn=cn=Top-level Policy Admin Role,ROOT_SUFFIX)))) (targetattr != "nsroledn")(version 3.0; acl "S1IS Organization Admin Role access allow all"; allow (all) roledn = "ldap:///cn=Organization Admin Role,[$dn],ORG_ROOT_SUFFIX";)
ACI 11:
aci: (target="ldap:///cn=Organization Admin Role,($dn),ORG_ROOT_SUFFIX") (targetattr="*")(version 3.0; acl "S1IS Organization Admin Role access deny"; deny (write,add,delete,compare,proxy) roledn = "ldap:///cn=Organization Admin Role, ($dn),ORG_ROOT_SUFFIX";)
ACI 12:
aci: (target="ldap:///($dn),ROOT_SUFFIX") (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX) (nsroledn=cn=Top-level Help Desk Admin Role,ROOT_SUFFIX) (nsroledn=cn=Top-level Policy Admin Role,ROOT_SUFFIX)))) (targetattr != "nsroledn")(version 3.0; acl "S1IS Container Admin Role access allow"; allow (all) roledn = "ldap:///cn=Container Admin Role,[$dn],ORG_ROOT_SUFFIX";)
ACI 13.
aci: (target="ldap:///cn=Container Admin Role,($dn),ORG_ROOT_SUFFIX") (targetattr="*")(version 3.0; acl "S1IS Container Admin Role access deny"; deny (write,add,delete,compare,proxy) roledn = "ldap:///cn=Container Admin Role,($dn),ORG_ROOT_SUFFIX";)
ACI 14:
aci: (target="ldap:///ROOT_SUFFIX") (targetattr!="nsroledn")(version 3.0; acl "S1IS Group admin's right to the users he creates"; allow (all) userattr = "iplanet-am-modifiable-by#ROLEDN";)
ACI 15:
aci: (target="ldap:///ROOT_SUFFIX") (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX) (nsroledn=cn=Top-level Help Desk Admin Role,ROOT_SUFFIX) (nsroledn=cn=Top-level Policy Admin Role,ROOT_SUFFIX) (nsroledn=cn=Organization Admin Role,ORG_ROOT_SUFFIX))))(targetattr = "*") (version 3.0; acl "S1IS Organization Help Desk Admin Role access allow"; allow (read,search) roledn = "ldap:///cn=Organization Help Desk Admin Role,ORG_ROOT_SUFFIX";)
ACI 16:
aci: (target="ldap:///ROOT_SUFFIX") (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX) (nsroledn=cn=Top-level Help Desk Admin Role,ROOT_SUFFIX) (nsroledn=cn=Top-level Policy Admin Role,ROOT_SUFFIX) (nsroledn=cn=Organization Admin Role,ORG_ROOT_SUFFIX)))) (targetattr = "userPassword") (version 3.0; acl "S1IS Organization Help Desk Admin Role access allow"; allow (write) roledn = "ldap:///cn=Organization Help Desk Admin Role,ORG_ROOT_SUFFIX";)
ACI 17:
aci: (target="ldap:///ou=People,ORG_ROOT_SUFFIX") (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX) (nsroledn=cn=Top-level Help Desk Admin Role,ROOT_SUFFIX) (nsroledn=cn=Top-level Policy Admin Role,ROOT_SUFFIX) (nsroledn=cn=Organization Admin Role,ROOT_SUFFIX) (nsroledn=cn=Container Admin Role,ORG_ROOT_SUFFIX)))) (targetattr != "iplanet-am-web-agent-access-allow-list || iplanet-am-domain-url-access-allow || iplanet-am-web-agent-access-deny-list || nsroledn") (version 3.0; acl "S1IS Group and people container admin role"; allow (all) roledn = "ldap:///cn=ou=People_NM_ORG_ROOT_SUFFIX,ORG_ROOT_SUFFIX";)