この項のリストは、replacement.acis.ldif ファイルをディレクトリに適用したときに、ディレクトリから破棄される未使用のデフォルト ACI を示しています。
破棄されるACI は、次のとおり分類します。
# discard # aci: (targetattr =”*”) (version 3.0;acl “Configuration Administrators Group”; allow (all) (groupdn = “ldap:///cn=Configuration Administrators, ou=Groups, ou=TopologyManagement, o=NetscapeRoot”);) # # discard # aci: (targetattr =”*”) (version 3.0;acl “Directory Administrators Group”; allow (all) (groupdn = “ldap:///cn=Directory Administrators, $rootSuffix”);) # # discard # aci: (targetattr = “*”) (version 3.0; acl “SIE Group”; allow (all) groupdn = “ldap:///cn=slapd-whater, cn=Sun ONE Directory Server, cn=Server Group, cn=whater.red.iplanet.com, ou=red.iplanet.com, o=NetscapeRoot”;) # # discard - prevents TLA from modifying the amldapuser account. # aci: (target=”ldap:///cn=amldapuser,ou=DSAME Users,$rootSuffix”) (targetattr = “*”) (version 3.0; acl “S1IS special ldap auth user modify right”; deny (write) roledn != “ldap:///cn=Top-level Admin Role,$rootSuffix”;) # # discard - protects SAML related attributes # aci: (targetattr=”iplanet-am-saml-user || iplanet-am-saml-password”) (targetfilter=”(objectclass=iplanet-am-saml-service)”) (version 3.0; acl “S1IS Right to modify saml user and password”; deny (all) (roledn != “ldap:///cn=Top-level Admin Role,$rootSuffix”) AND (userdn != “ldap:///cn=dsameuser,ou=DSAME Users,$rootSuffix”) AND (userdn != “ldap:///cn=puser,ou=DSAME Users,$rootSuffix”); )
# # discard # aci: (target=”ldap:///$rootSuffix”) (targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix))) (targetattr = “*”) (version 3.0; acl “S1IS Top-level Help Desk Admin Role access allow”; allow (read,search) roledn = “ldap:///cn=Top-level Help Desk Admin Role,$rootSuffix”;) # # discard # aci: (target=”ldap:///$rootSuffix”) (targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix))) (targetattr = “userPassword”) (version 3.0; acl “S1IS Top-level Help Desk Admin Role access allow”; allow (write) roledn = “ldap:///cn=Top-level Help Desk Admin Role,$rootSuffix”;)
# # discard # aci: (target=”ldap:///$rootSuffix”) (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)))) (targetattr = “*”) (version 3.0; acl “S1IS Top-level Policy Admin Role access allow”; allow (read,search) roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;) # # discard # aci: (target=”ldap:///ou=iPlanetAMAuthService,ou=services,*$rootSuffix”) (targetattr = “*”) (version 3.0; acl “S1IS Top-level Policy Admin Role access Auth Service deny”; deny (add,write,delete) roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;) # # discard # aci: (target=”ldap:///ou=services,*$rootSuffix”) (targetattr = “*”) (version 3.0; acl “S1IS Top-level Policy Admin Role access allow”; allow (all) roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;) # # discard # aci: (target=”ldap:///$rootSuffix”) (targetfilter=”(objectclass=sunismanagedorganization)”) (targetattr = “sunRegisteredServiceName”) (version 3.0; acl “S1IS Top-level Policy Admin Role access allow”; allow (read,write,search) roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)
# # discard - prevents anyone other than rootdn from deleting # default organization. # aci: (target=”ldap:///$rootSuffix”) (targetfilter=(entrydn=$rootSuffix)) (targetattr=”*”) (version 3.0; acl “S1IS Default Organization delete right denied”; deny (delete) userdn = “ldap:///anyone”; ) # # discard - prevents any user other than rootdn from deleting the # TLA admin role. # aci: (target=”ldap:///cn=Top-level Admin Role,$rootSuffix”) (targetattr=”*”) version 3.0; acl “S1IS Top-level admin delete right denied”; deny(delete) userdn = “ldap:///anyone”; )
# # discard # aci: (targetattr = “*”) (version 3.0; acl “S1IS Deny write to anonymous user”; deny (add,write,delete) roledn =”ldap:///cn=Deny Write Access,$rootSuffix”;)
# # discard # aci: (target=”ldap:///($dn),$rootSuffix”) (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix) (nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix) (nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)))) (targetattr != “nsroledn”) (version 3.0; acl “S1IS Container Admin Role access allow”; allow (all) roledn = “ldap:///cn=Container Admin Role,[$dn],$rootSuffix”;) # # discard # aci: (target=”ldap:///cn=Container Admin Role,($dn),$rootSuffix”) (targetattr=”*”) (version 3.0; acl “S1IS Container Admin Role access deny”; deny (write,add,delete,compare,proxy) roledn = “ldap:///cn=Container Admin Role,($dn),$rootSuffix”;) # # discard # aci: (target=”ldap:///ou=People,$rootSuffix”) (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix) (nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix) (nsroledn=cn=Top-level Policy Admin Role,$rootSuffix) (nsroledn=cn=Organization Admin Role,$rootSuffix) (nsroledn=cn=Container Admin Role,$rootSuffix)))) (targetattr != “iplanet-am-web-agent-access-allow-list || iplanet-am-domain-url-access-allow || iplanet-am-web-agent-access-deny-list || nsroledn”) (version 3.0; acl “S1IS Group and people container admin role”; allow (all) roledn = “ldap:///cn=ou=People_dc=red_dc=iplanet_dc=com,$rootSuffix”;)
# # discard # aci: (extra verses dreambig) (target=”ldap:///$rootSuffix”) (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix) (nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix) (nsroledn=cn=Top-level Policy Admin Role,$rootSuffix) (nsroledn=cn=Organization Admin Role,$rootSuffix)))) (targetattr = “*”) (version 3.0; acl “S1IS Organization Help Desk Admin Role access allow”; allow (read,search) roledn = “ldap:///cn=Organization Help Desk Admin Role,$rootSuffix”;) # # discard # aci: (target=”ldap:///$rootSuffix”) (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix) (nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix) (nsroledn=cn=Top-level Policy Admin Role,$rootSuffix) (nsroledn=cn=Organization Admin Role,$rootSuffix)))) (targetattr = “userPassword”) (version 3.0; acl “S1IS Organization Help Desk Admin Role access allow”; allow (write) roledn = “ldap:///cn=Organization Help Desk Admin Role,$rootSuffix”;)
# # discard - Removal disables the associated privileges to the attribute # iplanetam-modifiable-by # aci: (target=”ldap:///$rootSuffix”) (targetattr!=”nsroledn”) (version 3.0; acl “S1IS Group admin’s right to the users he creates”; allow (all) userattr = “iplanet-am-modifiable-by#ROLEDN”;)