JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Directory Server Enterprise Edition Reference 11 g Release 1 (
search filter icon
search icon

Document Information


1.  Directory Server Enterprise Edition File Reference

Software Layout for Directory Server Enterprise Edition

Directory Server Instance Default Layout

Directory Proxy Server Instance Default Layout

Part I Directory Server Reference

2.  Directory Server Overview

3.  Directory Server LDAP URLs

4.  Directory Server LDIF and Search Filters

5.  Directory Server Security

6.  Directory Server Monitoring

7.  Directory Server Replication

8.  Directory Server Data Caching

9.  Directory Server Indexing

10.  Directory Server Logging

11.  Directory Server Groups and Roles

12.  Directory Server Class of Service

13.  Directory Server DSMLv2

14.  Directory Server Internationalization Support

Part II Directory Proxy Server Reference

15.  Directory Proxy Server Overview

16.  Directory Proxy Server Load Balancing and Client Affinity

17.  Directory Proxy Server Distribution

18.  Directory Proxy Server Virtualization

Construction of Virtual Data Views

Virtual Data Transformations

Transformation Models

Mapping Transformations

Write Transformations

Read Transformations

Transformation Actions

Transformation Parameters

Transformation Examples

Additional Virtual Data View Properties

Join Data Views

Primary and Secondary Data Views

Additional Secondary Data View Properties

Join Rules

Handling of Shared Entries

Handling of Binds

How Directory Proxy Server Handles Read and Write Operations to Join Data Views

Virtual Data Transformations on Join Data Views

Coordinator Data Views

Features of Coordinator Data View

LDIF Data Views

JDBC Data Views

JDBC Data Sources and Data Source Pools

JDBC Object Classes

JDBC Tables

JDBC Attributes

Case Sensitivity in JDBC Data Views

Access Control On Virtual Data Views

Virtual ACI Definition

Global ACIs

Virtual ACI Syntax

Virtual ACI Storage and Access

Virtual ACI Application

Virtual Schema Checking

Schema Checking

Virtual Data Views and LDAP Groups

19.  Connections Between Directory Proxy Server and Backend LDAP Servers

20.  Connections Between Clients and Directory Proxy Server

21.  Directory Proxy Server Client Authentication

22.  Security in Directory Proxy Server

23.  Directory Proxy Server Logging

24.  Directory Proxy Server Alerts and Monitoring


Access Control On Virtual Data Views

In a virtual data view, Directory Proxy Server exposes virtual data. Directory Proxy Server is therefore responsible for controlling who can access that data, and what parts of the data can be accessed. To control access to virtual data, you can define virtual ACIs. When Directory Proxy Server receives a request on a virtual data view, it uses the virtual ACIs, and any authentication information provided by the user, to allow or deny access to the information that is requested.

This section describes the syntax and architecture of virtual ACIs. For information about configuring virtual ACIs, see Defining Access Control on Virtual Data Views in Oracle Directory Server Enterprise Edition Administration Guide.

Virtual ACI Definition

Virtual ACIs are defined by using the dpsaci operational attribute. The dpsaci attribute is multi-valued. This means that several ACIs can be defined for the same portion of a directory.

Directory Proxy Server is responsible for the management of the dpsaci attribute. This attribute can be configured along with the physical data but it is not stored with the data. When the dpsaci attribute is included in a request, Directory Proxy Server extracts it from the request and manages it in a dedicated ACI repository, through its own ACI data view.

A modify request that targets a virtual data view and contains the dpsaci attribute is effectively split into two requests by Directory Proxy Server. The first request handles only the virtual data, and the second request handles the virtual ACI.

Note - By default, write operations are forbidden on non-LDAP data views.

Global ACIs

Global ACIs are defined in the entry cn=data-source-name,cn=virtual access controls. These ACIs are evaluated by an ACI engine to deny or allow requests from a connection handler using that ACI pool. Global ACIs are required to allow or deny application administrators to access certain data. These application administrators can then provide more finely-grained access control to users, by placing ACIs directly in the data.

Only the proxy manager can create a pool of ACIs and manage ACIs directly through the ACI data view. Application administrators cannot manage ACIs directly through the ACI data view, even if they have the right to add entries. Application managers can only manage ACIs directly through the data.

ACIs that are defined in the data itself, are evaluated by Directory Proxy Server. These ACIs are entries in the pool of ACIs defined by the proxy manager, that is they are child entries of the entry cn=data-source-name,cn=virtual access controls.

ACIs have a performance impact. Therefore, if you use ACIs within the data itself, keep to a minimum the number of rules in the global ACIs, because these ACIs are evaluated every time the subtree is accessed.

Virtual ACI Syntax

The dpsaci attribute resembles the Directory Server aci attribute in syntax and behavior. For a description of Directory Server ACI syntax, see How Directory Server Provides Access Control.

The following list describes the differences between virtual ACIs and Directory Server ACIs.

Virtual ACI Storage and Access

Virtual ACIs are stored centrally, in an LDIF file or in an LDAP directory. When you create a Directory Proxy Server instance, the virtual ACIs are stored in the LDIF file instance-path /config/access_controls.ldif by default. You can change the location of the virtual ACIs, particularly if you need to share ACIs across multiple proxy servers. For information about how to change the location of virtual ACIs, see To Define a New ACI Storage Repository in Oracle Directory Server Enterprise Edition Administration Guide.

The ACI repository is accessed through an LDAP or LDIF data view, depending on the type of repository. By default, the access control data view is an LDIF data view named virtual access controls. The view base exposed by the access control data view must exist in the ACI repository.

The ACI repository contains one or more pools of ACIs. An ACI pool is defined by an LDAP entry of the type aciSource, directly below the view base of the data view. The ACI pool is a subtree of entries. It can contain access controls, and can be the parent entry of other entries containing ACIs.

Virtual ACI Application

Virtual ACIs are applied per connection handler. The name of the ACI pool to be used is defined as the aci-source property of the connection handler. Virtual access controls are not evaluated if you bind as the Proxy Manager.