Container Admin Role ACIs
ACI 1:
aci: (target="ldap:///($dn),ROOT_SUFFIX") (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX) (nsroledn=cn=Top-level Help Desk Admin Role,ROOT_SUFFIX) (nsroledn=cn=Top-level Policy Admin Role,ROOT_SUFFIX)))) (targetattr != "nsroledn")(version 3.0; acl "S1IS Container Admin Role access allow"; allow (all) roledn = "ldap:///cn=Container Admin Role,[$dn],ORG_ROOT_SUFFIX";)
This ACI gives 'all' permissions to the members who belong to the Container Admin Role. Therefore, members of Container Admin Role have 'all' permissions to all the entries and attributes for that sub-organization on the sub-organization entry. But the 'all' access is not applicable to the nsrolednattribute, if the values for nsroledn are one or more of the following:
-
Top-level Admin Role
-
Top-level Help Desk Admin Role
-
Top-level Policy Admin Role
In other words, members of Container Admin Role cannot read, write, delete, modify, or search the directory entries of members belonging to the above-listed roles. However, members of Container Admin Role have permissions to modify the nsroledn attribute in their own profiles.
ACI 2:
aci: (target="ldap:///cn=Container Admin Role,($dn),ORG_ROOT_SUFFIX") (targetattr="*")(version 3.0; acl "S1IS Container Admin Role access deny"; deny (write,add,delete,compare,proxy) roledn = "ldap:///cn=Container Admin Role,($dn),ORG_ROOT_SUFFIX";)
This ACI is for Container Admin Role. Members of Container Admin Role are denied write, add, delete, compare, and proxy permissions to all the attributes for that container/sub-organization admin role entry.
- © 2010, Oracle Corporation and/or its affiliates