Oracle Email Administrator's Guide Release 9.0.3 Part Number B10033-01 |
|
| View PDF |
This section provides an overview of access control list policies set for Oracle Email in Oracle Internet Directory. These directory access control lists are set in Oracle Internet Directory during the infrastructure installation phase.
This appendix contains the following topics:
See Also: :
Oracle Internet Directory Administrator's Guide for more information on access control lists |
The Oracle Email LDAP schema and entries are installed during the installation of Oracle Internet Directory. In Oracle Internet Directory, the cn=Products
container under OracleContext, contains all product specific information. The mail server container underneath this product container contains all the Oracle Internet Directory entries related to the e-mail server component of Oracle Email.
The %s_OracleContextDN%
parameter described in the following access control lists can be the root or subscriber OracleContext.
During installation, the following privilege group is created:
cn=EmailAdminsGroup,cn=EMailServerContainer,cn=Products,%s_OracleContextDN%
The members of this group are the e-mail server component administrators. Various access control lists on cn=EMailServerContainer,cn=Products,
entry are as follows:
%s_OracleContextDN%
cn=iASAdmins
, cn=Groups,%s_OracleContextDN%
giving browse, add, delete and proxy permissions. This is required for the iasadmins
to be able to do a proxy to the EmailServerContainer
.owner
or targetdn
attribute giving read, search, write, selfwrite, and compare permissions to all entries. Since the mail users in the e-mail directory information tree have references to the organization level users, this ACL enables users to modify only entries they own. This prevents end users from modifying other users' entries, or entries they are not supposed to modify.This example specifies the access control list that must be set in order for the public distribution lists to be searchable through standard clients. In an e-mail domain, the distribution lists are stored under the list container. For example, if the domain is oracle.com
, the list container cn=List,dc=oracle,dc=com,cn=um_system,cn=EMailServerContainer,cn=Products,cn=OracleContext
needs to have access control list "access
to
entry
by
*
(browse)"
.
EmailAdminsGroup
The cn=EmailAdminsGroup,cn=EMailServerContainer,cn=Products,
also is added to the following groups in order to have permissions for e-mail related directory operations.
%s_OracleContextDN%
The following privilege groups are created for Oracle Email e-mail server component administration:
cn=MailstoreAdminsGroup,cn=MailStores,cn=um_system,cn=EMailServerContainer,
cn=Products,cn=OracleContext
This group has read, search, compare, selfwrite, write access to the attribute orclPasswordAttribute
of the mail store entry, everybody else is denied access to this attribute.
cn=EmailAdminsGroup,cn=EMailServerContainer,cn=Products,cn=OracleContext cn=DomainAdminsGroup,<Domain RDNs>,cn=um_system,cn=EMailServerContainer,
cn=Products,cn=OracleContext - if exists
cn=DomainAdminsGroup,<Domain RDNs>,cn=um_system,cn=EMailServerContainer,
cn=Products,cn=OracleContext
where, <Domain RDNs>
for the domain oracle.com is the string dc=oracle,dc=com
Note:: This group is present in a system where domain administrators have been created from the Thin Client administration pages. |
This group has add, delete, browse, read, search, compare, and write permissions on the particular domain.