People Container Admin Role ACIs
ACI 1:
aci: (target="ldap:///ou=People,ORG_ROOT_SUFFIX") (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX) (nsroledn=cn=Top-level Help Desk Admin Role,ROOT_SUFFIX) (nsroledn=cn=Top-level Policy Admin Role,ROOT_SUFFIX) (nsroledn=cn=Organization Admin Role,ROOT_SUFFIX) (nsroledn=cn=Container Admin Role,ORG_ROOT_SUFFIX)))) (targetattr != "iplanet-am-web-agent-access-allow-list || iplanet-am-domain-url-access-allow || iplanet-am-web-agent-access-deny-list || nsroledn") (version 3.0; acl "S1IS Group and people container admin role"; allow (all) roledn ="ldap:///cn=ou=People_NM_ORG_ROOT_SUFFIX,ORG_ROOT_SUFFIX";)
Members of Group container role and People container role have all rights to all entries under the node ou=People of the root suffix. But they do not have any rights for the members who belong to Top-level Help Desk Admin Role, Top-level Policy Admin Role, Container Admin Role and Organization Admin Role. In addition members of Group container role and People container role do not have any rights to access the following attributes:
-
iplanet-am-web-agent-access-allow-list
-
iplanet-am-domain-url-access-allow
-
iplanet-am-web-agent-access-deny-list
-
nsroledn
- © 2010, Oracle Corporation and/or its affiliates