JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Directory Server Enterprise Edition Administration Guide 11g Release 1 (
search filter icon
search icon

Document Information


Part I Directory Server Administration

1.  Directory Server Tools

2.  Directory Server Instances and Suffixes

3.  Directory Server Configuration

4.  Directory Server Entries

5.  Directory Server Security

6.  Directory Server Access Control

Creating, Viewing, and Modifying ACIs

To Create, Modify, and Delete ACIs

To View ACI Attribute Values

To View ACIs at the Root Level

ACI Syntax

ACI Targets

Target Syntax

Target Keywords

ACI Permissions

Permission Syntax

Permission Rights

Permissions for Typical LDAP Operations

ACI Bind Rules

Introduction to Bind Rules

Bind Rule Syntax

Bind Rule Keywords

Boolean Bind Rules

To Allow Normal Users to Manage User Accounts Using dsutil Command

Access Control Usage Examples

Granting Anonymous Access

ACI "Anonymous"

ACI "Anonymous World"

Granting Write Access to Personal Entries

ACI "Write"

ACI "Write Subscribers"

Granting Access to a Certain Level

ACI "Read only"

Restricting Access to Key Roles

ACI "Roles"

Granting a Role Full Access to an Entire Suffix

ACI "Full Access"

Granting a Group Full Access to a Suffix


Granting Rights to Add and Delete Group Entries

ACI "Create Group"

ACI "Delete Group"

Allowing Users to Add or Remove Themselves From a Group

ACI "Group Members"

Granting Conditional Access to a Group or Role

ACI "Company333"

Denying Access

ACI "Billing Info Read"

ACI "Billing Info Deny"

Proxy Authorization

Example Proxy Authorization

Setting a Target Using Filtering

Defining Permissions for DNs That Contain a Comma

Viewing Effective Rights

Restricting Access to the Get Effective Rights Control

Using the Get Effective Rights Control

Advanced Access Control: Using Macro ACIs

Macro ACI Example

Macro ACI Syntax

Matching for ($dn) in the Target

Substituting ($dn) in the Subject

Substituting [$dn] in the Subject

Macro Matching for ($attr.attrName)

Logging Access Control Information

To Set Logging for ACIs

Client-Host Access Control Through TCP Wrapping

To Enable TCP Wrapping

To Disable TCP Wrapping

7.  Directory Server Password Policy

8.  Directory Server Backup and Restore

9.  Directory Server Groups, Roles, and CoS

10.  Directory Server Replication

11.  Directory Server Schema

12.  Directory Server Indexing

13.  Directory Server Attribute Value Uniqueness

14.  Directory Server Logging

15.  Directory Server Monitoring

Part II Directory Proxy Server Administration

16.  Directory Proxy Server Tools

17.  Directory Proxy Server Instances

18.  LDAP Data Views

19.  Directory Proxy Server Certificates

20.  Directory Proxy Server Load Balancing and Client Affinity

21.  Directory Proxy Server Distribution

22.  Directory Proxy Server Virtualization

23.  Virtual Data Transformations

24.  Connections Between Directory Proxy Server and Back-End LDAP Servers

25.  Connections Between Clients and Directory Proxy Server

26.  Directory Proxy Server Client Authentication

27.  Directory Proxy Server Logging

28.  Directory Proxy Server Monitoring and Alerts

Part III Directory Service Control Center Administration

29.  Directory Service Control Center Configuration


Chapter 6

Directory Server Access Control

The control of access to your directory is an integral part of creating a secure directory. This chapter describes access control instructions (ACIs) that determine which permissions are granted to users who access the directory.

While you are in the planning phase of your directory deployment, define an access control strategy that serves your overall security policy. See the Oracle Directory Server Enterprise Edition Deployment Planning Guide for tips on planning an access control strategy.

For additional information about ACIs, including ACI syntax and bind rules, see Oracle Directory Server Enterprise Edition Reference.

This chapter covers the following topics: