-------------------------------------------------------------------------------------------------------------
# retain # aci: (target=”ldap:///$rootSuffix”) (targetattr=”*”) (version 3.0; acl “S1IS Proxy user rights”; allow (proxy) userdn = “ldap:///cn=puser,ou=DSAME Users,$rootSuffix”; )
操作:保留。
此 ACI 可授予系统用户访问 Access Manager 的权限。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # retain # aci: (target=”ldap:///$rootSuffix”) (targetattr=”*”) (version 3.0; acl “S1IS special dsame user rights for all under the root suffix”; allow (all) userdn = “ldap:///cn=dsameuser,ou=DSAME Users,$rootSuffix”; )
操作:保留。
此 ACI 可授予系统用户访问 Access Manager 的权限。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # retain # aci: (target=”ldap:///$rootSuffix”)(targetattr=”*”)| (version 3.0;acl “S1IS special ldap auth user rights”; allow (read,search) userdn = “ldap:///cn=amldapuser,ou=DSAME Users,$rootSuffix”; )
操作:保留。
此 ACI 可授予系统用户访问 Access Manager 的权限。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # discard # aci: (target=”ldap:///cn=amldapuser,ou=DSAME Users,$rootSuffix”) (targetattr = “*”) (version 3.0; acl “S1IS special ldap auth user modify right”; deny (write) roledn != “ldap:///cn=Top-level Admin Role,$rootSuffix”;)
操作:放弃。
此 ACI 可阻止顶级管理员 ( Top-Level Administrator, TLA) 修改 amldapuser 帐户。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # retain # aci: (target=”ldap:///$rootSuffix”) (targetattr=”*”) (version 3.0; acl “S1IS Top-level admin rights”; allow (all) roledn = “ldap:///cn=Top-level Admin Role,$rootSuffix”; )
操作:保留。
此 ACI 可向顶级管理员职责授予访问权限。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # discard # aci: (targetattr=”iplanet-am-saml-user || iplanet-am-saml-password”) (targetfilter=”(objectclass=iplanet-am-saml-service)”) (version 3.0; acl “S1IS Right to modify saml user and password”; deny (all) (roledn != “ldap:///cn=Top-level Admin Role,$rootSuffix”) AND (userdn != “ldap:///cn=dsameuser,ou=DSAME Users,$rootSuffix”) AND (userdn != “ldap:///cn=puser,ou=DSAME Users,$rootSuffix”); )
操作:放弃。
此 ACI 可保护 SAML 相关属性。
-------------------------------------------------------------------------------------------------------------