C
Oracle Email Access Control Lists

This section discusses the access control list policies set for Oracle Email in Oracle Internet Directory. Directory access control lists are set in Oracle Internet Directory during the infrastructure installation phase.

This appendix contains the following topics:

Mail Server Access Control Lists

The Oracle Email LDAP schema and entries are installed during the installation of Oracle Internet Directory. In Oracle Internet Directory, the cn=Products container under OracleContext contains all product-specific information. The mail server container underneath this product container contains all the Oracle Internet Directory entries related to the e-mail server component of Oracle Email.

The %s_OracleContextDN% parameter described in the following access control lists can be the root or subscriber OracleContext.

The installation process creates the following privilege group:

cn=EmailAdminsGroup,cn=EMailServerContainer,cn=Products,%s_OracleContextDN%

The members of this group are the e-mail server component administrators. Various access control lists on cn=EMailServerContainer,cn=Products, %s_OracleContextDN% entry are as follows:

Access control list for the group cn=iASAdmins, cn=Groups,%s_OracleContextDN% giving browse, add, delete and proxy permissions. This is required for the iasadmins to be able to proxy to the EmailServerContainer.
Access control list with DN = owner or targetdn attribute giving read, search, write, selfwrite, and compare permissions to all entries. Since the mail users in the e-mail directory information tree have references to the organization level users, this ACL enables users to modify only entries they own. This prevents end users from modifying other users' entries, or entries they are not supposed to modify.
Access control list enabling any user binding in Simple mode to have read and search permissions. This is required as the public users are stored outside the e-mail directory information tree. The bind mode "Simple" is added to restrict anonymous lookups using certain client tools, such as Netscape Navigator.
Access to the e-mail subtree is denied to everybody else.

See Also: :
Oracle Internet Directory Administrator's Guide for more information on access control lists

Oracle Internet Directory Group Membership for `EmailAdminsGroup`

The cn=EmailAdminsGroup,cn=EMailServerContainer,cn=Products, %s_OracleContextDN% also is added to the following groups in order to have permissions for e-mail related directory operations.

Table C-1 Oracle Internet Directory Group Membership Permissions

Group	Permissions
`cn=ComputerAdmins, cn=Groups,%s_OracleContextDN%`	The addition of `EmailAdminsGroup` to this group enables the e-mail administrators to create process entries under `cn=Computers`.
`cn=UserProxyPrivilege, cn=Groups,%s_OracleContextDN%`	The addition of `EmailAdminsGroup` to this group enables the e-mail administrators to proxy as the end users.
`cn=AuthenticationServices,cn=Groups,%s_OracleContextDN%`	The addition of `EmailAdminsGroup` to this group enables the e-mail servers to compare the user's password at the time of authentication.
`cn=verifierServices,cn=Groups,%s_OracleContextDN%`	The addition of `EmailAdminsGroup` to this group enables e-mail servers to compare the `orclpasswordverifier;email` attribute. This is required for voice mail authentication.

Oracle Email Privilege Groups

The following privilege groups are created for Oracle Email e-mail server component administration:

Group

cn=MailstoreAdminsGroup,cn=MailStores,cn=um_system,cn=EMailServerContainer,
cn=Products,cn=OracleContext

Permissions

Has read, search, compare, selfwrite, and write access to the attribute orclPasswordAttribute of the mail store entry. Everybody else is denied access to this attribute.

Members

cn=EmailAdminsGroup,cn=EMailServerContainer,cn=Products,cn=OracleContext 
cn=DomainAdminsGroup,Domain RDNs,cn=um_system,cn=EMailServerContainer,
cn=Products,cn=OracleContext - if exists

Group

cn=DomainAdminsGroup,<Domain RDNs>,cn=um_system,cn=EMailServerContainer,
cn=Products,cn=OracleContext

where:

Domain RDNs for the acme.com domain is the string dc=acme,dc=com

Note::

This group is present in a system where domain administrators have been created from the WebMail client administration pages.

Permissions

This group has add, delete, browse, read, search, compare, and write permissions on the particular domain.