test

Technical Note: Sun Java System Access Manager ACI Guide

Dynamic ACIs

These ACIs are created at runtime when a new Organization, People Container, Group is created.

Organization Policy Admin Role ACIs

ACI 1 example:

aci=(target="ldap:///o=suborg,dc=iplanet,dc=com")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,dc=iplanet,dc=com)
(nsroledn=cn=Top-level Help Desk Admin Role,dc=iplanet,dc=com)
(nsroledn=cn=Organization Admin Role,o=suborg,dc=iplanet,dc=com))))
(targetattr = "*")(version 3.0; acl "Organization Policy Admin access allow"; 
allow (read,search) 
roledn = "ldap:///cn=Organization Policy Admin Role,o=suborg,dc=iplanet,dc=com";) 
aci=(target="ldap:///ou=services,*o=suborg,dc=iplanet,dc=com")(targetattr = "*") 
(version 3.0; acl "Organization Policy Admin Role access allow"; allow (all) 
roledn = "ldap:///cn=Organization Policy Admin Role,o=suborg,dc=iplanet,dc=com";)

ACI 2 example:

aci=(target="ldap:///ou=iPlanetAMAuthService,ou=services,
*o=suborg,dc=iplanet,dc=com") (targetattr = "*") 
(version 3.0; acl "Organization Policy Admin Role access Auth Service deny"; 
deny (add,write,delete) 
roledn = "ldap:///cn=Organization Policy Admin Role,o=suborg,dc=iplanet,dc=com";

ACI 3 example:

aci=(target="ldap:///o=suborg,dc=iplanet,dc=com")
(targetfilter="(objectclass=sunmanagedorganization)") 
(targetattr = "sunRegisteredServiceName") 
(version 3.0; acl "Organization Policy Admin Role access allow"; 
allow (read,write,search) 
roledn = "ldap:///cn=Organization Policy Admin Role,o=suborg,dc=iplanet,dc=com";)

People Container Admin Role ACIs

ACI 1:

aci: (target="ldap:///ou=People,ORG_ROOT_SUFFIX")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Help Desk Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Policy Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Organization Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Container Admin Role,ORG_ROOT_SUFFIX))))
(targetattr != "iplanet-am-web-agent-access-allow-list 
|| iplanet-am-domain-url-access-allow 
|| iplanet-am-web-agent-access-deny-list || nsroledn") 
(version 3.0; acl "S1IS Group and people container admin role"; 
allow (all) roledn ="ldap:///cn=ou=People_NM_ORG_ROOT_SUFFIX,ORG_ROOT_SUFFIX";)

Members of Group container role and People container role have all rights to all entries under the node ou=People of the root suffix. But they do not have any rights for the members who belong to Top-level Help Desk Admin Role, Top-level Policy Admin Role, Container Admin Role and Organization Admin Role. In addition members of Group container role and People container role do not have any rights to access the following attributes:

Group Admin Role ACIs

ACI 1 example:

aci=(target="ldap:///ou=People,dc=iplanet,dc=com") (targetattr="nsroledn")
(targattrfilters="add=nsroledn:(!(nsroledn=*)),del=nsroledn:(!(nsroledn=*))")
(version 3.0; acl "Group admin's  right to add user to people container"; allow (add) 
roledn ="ldap:///cn=cn=blach_ou=Groups_dc=iplanet_dc=com,dc=iplanet,dc=com";)

ACI 2 example:

aci=(target="ldap:///cn=blach,ou=Groups, dc=iplanet,dc=com")
(targetattr = "*") (version 3.0; acl "Group and people container admin role"; 
allow (all) 
roledn = "ldap:///cn=cn=blach_ou=Groups_dc=iplanet_dc=com,dc=iplanet,dc=com";)

ACI 3 example:

aci=(target="ldap:///dc=iplanet,dc=com")
(targetfilter=(!(|(!(|(memberof=*cn=blach,ou=Groups, dc=iplanet,dc=com)
(iplanet-am-static-group-dn=*cn=blach,ou=Groups,dc=iplanet,dc=com)))
(|(nsroledn=cn=Top-level Admin Role,dc=iplanet,dc=com)
(nsroledn=cn=Top-level Help Desk Admin Role,dc=iplanet,dc=com)
(nsroledn=cn=Top-level Policy Admin Role,dc=iplanet,dc=com)
(nsroledn=cn=Organization Admin Role,dc=iplanet,dc=com)
(nsroledn=cn=Container Admin Role,dc=iplanet,dc=com)
(nsroledn=cn=Organization Policy Admin Role,dc=iplanet,dc=com)))))
(targetattr  != "iplanet-am-web-agent-access-allow-list 
||iplanet-am-web-agent-access-not-enforced-list || iplanet-am-domain-url-access-allow 
|| iplanet-am-web-agent-access-deny-list || nsroledn")
(version 3.0; acl  "Group admin's right to the members"; allow (read,write,search) 
roledn  = "ldap:///cn=cn=blach_ou=Groups_dc=iplanet_dc=com,dc=iplanet,dc=com";)