iPlanet Messaging Server 5.2 Provisioning Guide: Appendix A Root and Domain ACI Examples

Previous Contents Index Next

iPlanet Messaging Server 5.2 Provisioning Guide

Appendix A     Root and Domain ACI Examples

The ACIs listed in this Appendix are the default ACIs installed when a domain or root node is created in the directory information tree. These ACIs can be modified for your system needs. You can also view these ACIs on-line by doing an LDAP search on the root and domain entries. Note that domain organization ACIs must be added using LDAP when domain organizations are created. This Appendix contains the following sections:

"Organization Tree Root Node ACIs"

"DC Tree Root Node ACIs"

"Hosted Domain ACIs"

"Domain Organization ACIs"

Note If you are using a DC Tree for domain, user, and group entries (that is, you do not have an Organization Tree), then all the ACIs for the Organization Tree described in this Appendix are not needed. In this case, where "<OrgRoot>" appears in ACIs for DC Tree, change them to the value of <DCRoot>.

Variable Definitions in ACI Example

<OrgRoot> - Root of the Organization Tree. This is where the user and group entries are created in a default installation.
<DCRoot> - Root of the Domain Component Tree. This is where domain entries are created.
<OrgNodeDN> - Domain node in the Organization Tree. This is where the user and group entries for a domain reside.
<DCNodeDN> - Domain node in the DC Tree. This is where the user and group entries for a domain reside.
<DomainOrgNodeDN> - Root of the Domain Component Tree. This is where domain entries are created.

Organization Tree Root Node ACIs

The ACIs below grant required access to Top-level Administrators, Domain Administrators, Domain Organization Administrators, Family Group Administrators, Mail List Owners, and End Users. Where necessary, additional ACIs are set on domain nodes and domain organization nodes further down the tree. If you are setting up namespace from scratch (that is, you are not using the iPlanet Message Server installer for preparing the namespace), then you need to set the ACIs on the Organization Tree Root Node.
Code Example A-1    Organization Tree Root Node ACIs

dn: <OrgRoot>

changetype: modify

add: aci

#

#-----------------------------------

# iDA User access control

#

# Allow read and search access to all attributes in all entries

#

aci: (targetattr="*") (version 3.0; acl "NDAUser access -

product=ims5.0,class=nda,num=1,version=1"; allow (read,search)

userdn="ldap:///uid=NDAUser,ou=config,<OrgRoot>";)

#

# Allow write access to nsNum* attributes of all domain entries

#

aci: (targetattr="nsNumUsers||nsNumDepts||nsNumMailLists||nsNumDomains")

(version 3.0; acl "NDAUser access - product=ims5.0, class=nda,num=2,

version=1"; allow (write) userdn="ldap:///uid=NDAUser,ou=config,

<OrgRoot>";)

#

#-----------------------------------

# Service Administrator access control

#

# Allow read and search access to all DCROOT nodes

#

aci: (targetattr="*") (version 3.0; acl "SA root node access -

product=ims5.0,class=nda,num=3,version=1"; allow (all)

groupdn="ldap:///cn=Service Administrators,ou=Groups,<OrgRoot>";)

#

#-----------------------------------

# Domain Administrator control.

#

# Deny write and delete access to any domain container node.

#

aci: (targetfilter="objectclass=nsManagedDomain") (version 3.0; acl

"Domain Admin domain container access -

product=ims5.0,class=nda,num=5,version=1"; deny (delete,write)

userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Domain Administrators*)" or

userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Domain Administrators*)";)

#

#-----------------------------------

# User access control

#

# Allow read and search access to self

#

aci: (targetattr="*") (targetfilter=(objectClass=inetOrgPerson)) (version

3.0; acl "User self search and read - product=ims5.0,class=nda,num=6,

version=1"; allow (read,search) userdn="ldap:///self";)

#

# Allow write access to self

#

aci: (targetattr="*") (version 3.0; acl "Allow self entry modification -

product=ims5.0,class=nda,num=7,version=1";

allow (write) userdn = "ldap:///self";)

#

# Deny write access to self for uid, ou, owner,

# nsDAModifiableBy, nsDACapability, mail, mailAlternateAddress,

# memberOf, and nsDADomain attributes

#

aci: (targetattr="uid||ou||owner||nsDAModifiableBy||nsDACapability||

mail||mailAlternateAddress||memberOf||nsDADomain||inetuserstatus||

mailuserstatus||memberOfManagedGroup||mailQuota||mailMsgQuota||

inetSubscriberAccountId||dataSource||mailhost||mailAllowedServiceAccess

||pabURI||inetCOS") (targetfilter=(objectClass=nsManagedPerson))

(version 3.0; acl "User self modification - product=ims5.0,class=nda,

num=8,version=1"; deny (write) userdn = "ldap:///self" and

userdn != "ldap:///<OrgRoot>??sub?(memberOf=cn=Domain Administrators*)"

and userdn !=

"ldap:///<DCRoot>??sub?(memberOf=cn=Domain Administrators*)"

and groupdn != "ldap:///cn=Service Administrators,ou=groups,<OrgRoot>";)

#

# Deny delete access to self

#

aci: (targetfilter=(objectClass=inetOrgPerson)) (version 3.0; acl

"User self deletion - product=ims5.0,class=nda,num=9,version=1";

deny (delete) userdn="ldap:///self";)

#

#-----------------------------------

# Mail List access control

#

# Allow designated users to create mail lists

#

aci: (targetattr="*")(targetfilter=(objectClass=inetMailGroupManagement))

(version 3.0; acl "Mail list create access - product=ims5.0,class=nda,

num=10,version=1"; allow (add)

userdn="ldap:///<OrgRoot>??sub?(nsDACapability=mailListCreate)";)

#

# Allow maillist owner read, search, write, and delete access

# to the maillists s/he owns except for the nsMaxUsers attr

#

aci: (targetattr="*") (targetfilter=(objectClass=inetMailGroupManagement))
version 3.0; acl "Mail list owner access - product=ims5.0,class=nda,num=11,
version=1"; allow (read,search,write,delete)
groupdnattr="ldap:///<OrgRoot>?owner";)

#

#-----------------------------------

# Family Group Administrator access control

#

# family group read access

#

aci: (targetattr="*") (targetfilter=(objectClass=inetManagedGroup))

(version 3.0; acl "Family Group Adm group read & search access -

product=ims5.0,class=nda,num=12,version=1"; allow (read,search)

userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Family Group

Administrators*)" and groupdnattr="ldap:///<OrgRoot>?nsDAModifiableBy";)

#

# family group write access for 'description' attribute

#

aci: (targetattr="description")

(targetfilter=(objectClass=inetManagedGroup))

(version 3.0; acl "Family Group Adm description write access -

product=ims5.0,class=nda,num=13,version=1"; allow (write)

userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Family Group

Administrators*)" and groupdnattr="ldap:///<OrgRoot>?nsDAModifiableBy";)

#

# family group write access for 'mnggrpCurrentUsers' attribute

#

aci: (targetattr="mnggrpCurrentUsers")

(targetfilter=(objectClass=inetManagedGroup)) (version 3.0; acl "Family

Group Adm description write access - product=ims5.0,class=nda,num=14,

version=1"; allow (write)

userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Family Group

Administrators*)" and groupdnattr="ldap:///<OrgRoot>?nsDAModifiableBy";)

#

# family member create,delete,modify permissions

#

aci: (targetattr="*") (targetfilter=(objectClass=nsManagedPerson))

(version 3.0;acl "Family Group Adm member access - product=ims5.0,

class=nda, num=15,version=1"; allow (add,read,search,write,delete)

userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Family Group

Administrators*)" and groupdnattr="ldap:///<OrgRoot>?nsDAModifiableBy";)

#

# access to add,remove family admins of the same admin group

#

aci: (targetattr="uniquemember")

(targetfilter=(&(|(objectClass=nsManagedDept)

(objectClass=nsManagedDeptAdminGroup))(cn=Family Group

Administrators*))) (version 3.0;acl "Family Group Adm admin write

access - product=ims5.0,class=nda,num=16,version=1"; allow (write)

userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Family Group

Administrators*)" and groupdnattr="ldap:///<OrgRoot>?uniquemember";)

#

# access to add,remove memberof attribute

#

aci: (targetattr="memberOf") (targetfilter=(objectClass=nsManagedPerson))

(version 3.0;acl "Family Adm user access -

product=ims5.0,class=nda,num=17,version=1"; allow (write)

userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Family Group

Administrators*)" and groupdnattr="ldap:///<OrgRoot>?nsDAModifiableBy";)

#

#-----------------------------------

# Domain Organization Administrator

#

# access to the Domain Organization nodes.

#

aci: (targetattr="*") (targetfilter=(objectClass=inetdomainorg))(version

3.0; acl "Domain Organization Administrator - Dom Org node read & search

access - product=ims5.0,class=nda,num=21,version=1"; allow (read,search)

groupdnattr="ldap:///<OrgRoot>?nsDAModifiableBy";)

#

# write access for selected attribute

#

aci: (targetattr="description||domOrgMaxUsers")

(targetfilter=(objectClass=inetdomainorg)) (version 3.0; acl "Domain

Organization Administrator - Dom Org node write access -

product=ims5.0,class=nda,num=22,version=1"; allow (write)

groupdnattr="ldap:///<OrgRoot>?nsDAModifiableBy";)

DC Tree Root Node ACIs

The ACIs below grant required access to Top-level Administrators, Domain Administrators, Domain Organization Administrators, Family Group Administrators, Mail List Owners, and End Users. Where necessary, additional ACIs are set on domain nodes and domain organization nodes further down the tree. If you are setting up namespace from scratch (that is, you are not using the iPlanet Message Server installer for preparing the namespace), then you need to set the ACIs on the DC Tree Node.
Code Example A-2    DC Tree Root Node ACIs

dn: <DCRoot>
changetype: modify

add: aci

#-----------------------------------

#

# iDA User access control

#

# Allow read and search access to all attributes in all entries

#

aci: (targetattr="*") (version 3.0; acl "NDAUser access -
product=ims5.0,class=nda,num=1,version=1"; allow (read,search)
userdn="ldap:///uid=NDAUser,ou=config,<OrgRoot>";)

#

# Allow write access to nsNum* attributes of all domain entries

#

aci: (targetattr="nsNumUsers||nsNumDepts||nsNumMailLists||nsNumDomains")

(version 3.0; acl "NDAUser access - product=ims5.0,class=nda,num=2,

version=1"; allow (write) userdn="ldap:///uid=NDAUser,

ou=config,<OrgRoot>";)

#

#-----------------------------------

# Service Administrator access control

#

# Allow read and search access to all DCROOT nodes

#

aci: (targetattr="*") (version 3.0; acl "SA root node access -

product=ims5.0,class=nda,num=3,version =1"; allow (all)

groupdn="ldap:///cn=Service Administrators,ou=Groups,<OrgRoot>";)

#

#-----------------------------------

# Domain Administrator control.

#

# Access to dcroot to search for domain components

#

aci: (targetattr="*") (version 3.0; acl "Domain Admin dc root access -

product=ims5.0,class=nda,num=4 ,version=1"; allow (read,search)

userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Domain Administrators*)" or

userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Domain Administrators*)";)

#

# Deny write and delete access to any domain container node.

#

aci: (targetfilter="objectclass=nsManagedDomain") (version 3.0; acl

"Domain Admin domain container access -

product=ims5.0,class=nda,num=5,version=1"; deny (delete,write)

userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Domain Administrators*)" or

userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Domain Administrators*)";)

#

#-----------------------------------

# User access control

#

# Allow read and search access to self

#

aci: (targetattr="*") (targetfilter=(objectClass=inetOrgPerson)) (version

3.0; acl "User self search and read - product=ims5.0,class=nda, num=6,

version=1"; allow (read,search) userdn="ldap:///self";)

#

# Allow write access to self

#

aci: (targetattr = "*") (version 3.0; acl "Allow self entry modification

- product=ims5.0,class=nda,num=7,version=1"; allow (write) userdn =

"ldap:///self";)

#

# Deny write access to self for uid, ou, owner,

# nsDAModifiableBy, nsDACapability, mail, mailAlternateAddress,

# memberOf, and nsDADomain attributes

#

aci: (targetattr="uid||ou||owner||nsDAModifiableBy||nsDACapability||

mail||mailAlternateAddress||memberOf||nsDADomain||inetuserstatus||

mailuserstatus||memberOfManagedGroup||mailQuota||mailMsgQuota||

inetSubscriberAccountId||dataSource||mailhost||mailAllowedServiceAccess ||pabURI||inetCOS") (targetfilter=(objectClass=nsManagedPerson))

(version 3.0; acl "User self modification - product=ims5.0,class=nda,

num=8, version=1"; deny (write) userdn = "ldap:///self" and userdn

!= "ldap:///<DCRoot>??sub?(memberOf=cn=Domain Administrators*)" and

userdn != "ldap:///<OrgRoot>??sub?(memberOf=cn=Domain Administrators*)"

and groupdn != "ldap:///cn=Service Administrators,ou=groups,<OrgRoot>";)

#

# Deny delete access to self

#

aci: (targetfilter=(objectClass=inetOrgPerson)) (version 3.0; acl "User

self deletion - product=ims5.0,class=nda,num=9,version=1"; deny (delete) userdn="ldap:///self";)

#

#-----------------------------------

# Mail List access control

#

# Allow designated users to create mail lists

#

aci: (targetattr="*") (targetfilter=(objectClass=inetMailGroupManagement))
(version 3.0; acl "Mail list create access - product=ims5.0,class=nda,
num=10, version=1"; allow (add) userdn="ldap:///<DCRoot>??sub?(nsDACapability=mailListCreate)";)

#

# Allow maillist owner read, search, write, and delete access

# to the maillists s/he owns except for the nsMaxUsers attr

#

aci: (targetattr="*") (targetfilter=(objectClass=inetMailGroupManagement))
(version 3.0; acl "Mail list owner access -
product=ims5.0,class=nda,num=11,version=1"; allow (read,search,write,delete)
groupdnattr="ldap:///<DCRoot>?owner";)

#

#-----------------------------------

# Family Group Administrator access control

#

# family group read access

#

aci: (targetattr="*") (targetfilter=(objectClass=inetManagedGroup))
(version 3.0; acl "Family Group Adm group read & search access -

product=ims5.0 ,class=nda,num=12,version=1"; allow (read,search)

userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Family Group

Administrators*)" and groupdnattr="ldap:///<DCRoot>?nsDAModifiableBy";)

#

# family group write access for 'description' attribute

#

aci: (targetattr="description")

(targetfilter=(objectClass=inetManagedGroup)) (version 3.0; acl "Family

Group Adm description write access -

product=ims5.0,class=nda,num=13,version=1"; allow (write)

userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Family Group

Administrators*)" and groupdnattr="ldap:///<DCRoot>?nsDAModifiableBy";)

#

# family group write access for 'mnggrpCurrentUsers' attribute

#

aci: (targetattr="mnggrpCurrentUsers")

(targetfilter=(objectClass=inetManagedGroup)) (version 3.0; acl "Family

Group Adm description write access -

product=ims5.0,class=nda,num=14,version=1"; allow (write)

userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Family Group

Administrators*)" and groupdnattr="ldap:///<DCRoot>?nsDAModifiableBy";)

#

# family member create,delete,modify permissions

#

aci: (targetattr="*") (targetfilter=(objectClass=nsManagedPerson))

(version 3.0;acl "Family Group Adm member access -

product=ims5.0,class=nda,num=15,version=1"; allow

(add,read,search,write,delete)

userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Family Group

Administrators*)" and groupdnattr="ldap:///<DCRoot>?nsDAModifiableBy";)

#

# access to add,remove family admins of the same admin group

#

aci: (targetattr="uniquemember")

(targetfilter=(&(|(objectClass=nsManagedDept)(objectClass=nsManagedDept

AdminGroup))(cn=Family Group Administrators*))) (version 3.0;acl "Family

Group Adm admin write access - product=ims5.0,class=nda,num=16,

version=1"; allow (write) userdn="ldap:///<DCRoot>??sub?(memberOf=cn=

Family Group Administrators*)" and

groupdnattr="ldap:///<DCRoot>?uniquemember";)

#

# access to add,remove memberof attribute

#

aci: (targetattr="memberOf") (targetfilter=(objectClass=nsManagedPerson))

(version 3.0;acl "Family Adm user access - product=ims5.0,class=nda,

num=17,version=1"; allow (write)

userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Family Group

Administrators*)" and groupdnattr="ldap:///<DCRoot>?nsDAModifiableBy";)

#

# Family Admin needs to read domain to get the dn

#

aci: (targetattr="objectclass||preferredmailhost||

preferredmailmessagestore") (targetfilter=(objectClass=domain)) (version

3.0;acl "Family Adm domain access - product=ims5.0,class=nda,num=18,

version=1"; allow (read,search)

userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Family Group

Administrators*)" or userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Family

Group Administrators*)";)

#

#-----------------------------------

# Domain Organization Administrator

#

# Allow domain organization administrators to read the

# attributes from the dc tree.

#

aci: (targetattr="objectclass||preferredmailhost||

preferredmailmessagestore||dc") (targetfilter=(objectClass=domain))

(version 3.0;acl "Domain Organization Admin domain access -

product=ims5.0,class=nda,num=20,version=1"; allow (read,search)

userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Domain Organization

Administrators*)" or userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Domain

Organization Administrators*)";)

#

# access to the Domain Organization nodes.

#

aci: (targetattr="*") (targetfilter=(objectClass=inetdomainorg))(version

3.0; acl "Domain Organization Administrator - Dom Org node read & search

access - product=ims5.0,class=nda,num=21,version=1"; allow (read,search)

groupdnattr="ldap:///<DCRoot>?nsDAModifiableBy";)

#

# write access for selected attribute

#

aci: (targetattr="description||domOrgMaxUsers")

(targetfilter=(objectClass=inetdomainorg))(version 3.0; acl "Domain

Organization Administrator - Dom Org node write access -

product=ims5.0,class=nda,num=22,version=1"; allow (write)

groupdnattr="ldap:///<DCRoot>?nsDAModifiableBy";)

Hosted Domain ACIs

The ACIs below grant required access to Domain Administrators, Mail List Owners, and End Users. The six ACIs below are for the standard two-tree namespace. Five rules on the Organization Tree and one on the DC Tree. If you are using a namespace with just a single DC Tree, all six rules are set on the hosted domain node. These ACIs must be set for every domain you provision.
Code Example A-3    Hosted Domain ACIs

dn: <OrgNodeDN>

changetype: modify

add: aci

#

#-----------------------------------

# Domain Administrator access control

#

# allow full access to the domains user/group subtree

#

aci: (targetattr="*") (version 3.0; acl "Domain Admin Domain access -

product=ims5.0,class=nda,num=18,version=1"; allow (all)

groupdn="ldap:///cn=Domain Administrators,ou=Groups,<OrgNodeDN>";)

#

#-----------------------------------

# End user access control

# allow users to read and search all users in the domain

#

aci: (targetattr!="userPassword")

(targetfilter=(|(objectClass=inetOrgPerson)(objectclass=nsManagedDomain

))) (version 3.0; acl "User access to all users in domain -

product=ims5.0,class=nda,num=19,version=1"; allow (read,search)

userdn="ldap:///<OrgNodeDN>??sub?(objectclass=inetOrgPerson)";)

#

# allow users to add themselves to self subscribe mail lists

#

aci: (targetattr="uniqueMember")

(targetfilter=(&(objectClass=nsManagedMailList)

(|(mgmanJoinability=anyone)(mgmanJoinability=all))))

(version 3.0; acl "User mail list self subscribe access -

product=ims5.0,class=nda,num=20,version=1"; allow (selfwrite)

userdn="ldap:///<OrgNodeDN>??sub?(objectclass=inetOrgPerson)";)

#

# hide group members when they are marked hidden

#

aci: (targetattr!="uniqueMember||mgrpRfc822MailMember")

(targetfilter=(&(objectClass=inetMailGroupManagement)

(mgmanHidden=false))) (version 3.0; acl "User mail list access when

visible - product=ims5.0,class=nda,num=21,version=1"; allow

(read,search)

userdn="ldap:///<OrgNodeDN>??sub?(objectclass=inetOrgPerson)";)

#

# hide group members when they are marked hidden

#

aci: (targetattr="uniqueMember||mgrpRfc822MailMember")

(targetfilter=(&(objectClass=inetMailGroupManagement)

(|(mgmanMemberVisibility=anyone)(mgmanMemberVisibility=all)))) (version

3.0; acl "User mail list member access -

product=ims5.0,class=nda,num=22,version=1"; allow (read,search)

userdn="ldap:///<OrgNodeDN>??sub?(objectclass=inetOrgPerson)";)

dn: <DCNodeDN>

changetype: modify

add: aci

#

#-----------------------------------

# Domain Administrator access to iCS attributes

#

aci: (targetattr="icsTimeZone||icsMandatorySubscribed||

icsMandatoryView||icsDefaultAccess||icsRecurrenceBound||

icsRecurrenceDate||icsAnonymousLogin||icsAnonymousAllowWrite||

icsAnonymousCalendar||icsAnonymousSet||icsAnonymousDefaultSet||

icsSessionTimeout||icsAllowRights||icsExtended||

icsExtendedDomainPrefs")(targetfilter=(objectClass=icsCalendarDomain))

(version 3.0; acl "Domain Adm calendar access - product=ims5.0,

class=nda,num=16,version=1"; allow (all) groupdn="ldap:///cn=Domain

Administrators,ou=Groups,<OrgNodeDN>";)

Domain Organization ACIs

These need to be added to every domain organization provisioned.
Code Example A-4    Domain Organization ACIs

dn: <DomainOrgNodeDN>

changetype: modify

add: aci

#

# Rights to modify, add, delete users

#

aci: (target="ldap:///uid=*,ou=people,<DomainOrgNodeDN>")

(targetattr ="*")

(targetfilter=(objectclass=organizationalPerson))

(version 3.0; acl "Domain Organization Admin User add,delete,write -

product=ims5.0,class=nda,num=201,version=1";

allow (add,write,delete)

groupdn="ldap:///cn=Domain Organization

Administrators,<DomainOrgNodeDN>";)

#

# Rights to modify, add, delete mailing lists.

#

aci: (target="ldap:///cn=*,ou=groups,<DomainOrgNodeDN>")

(targetattr ="*")

(targetfilter=(objectclass=inetMailGroup))

(version 3.0; acl "Domain Organization Admin User add,delete,write -

product=ims5.0,class=nda,num=202,version=1";

allow (add,write,delete)

groupdn="ldap:///cn=Domain Organization

Administrators,<DomainOrgNodeDN>";)

dn: <OrgRoot>
changetype: modify
add: aci
#
#-----------------------------------
# iDA User access control
#
# Allow read and search access to all attributes in all entries
#
aci: (targetattr="*") (version 3.0; acl "NDAUser access -
product=ims5.0,class=nda,num=1,version=1"; allow (read,search)
userdn="ldap:///uid=NDAUser,ou=config,<OrgRoot>";)
#
# Allow write access to nsNum* attributes of all domain entries
#
aci: (targetattr="nsNumUsers\|\|nsNumDepts\|\|nsNumMailLists\|\|nsNumDomains")
(version 3.0; acl "NDAUser access - product=ims5.0, class=nda,num=2,
version=1"; allow (write) userdn="ldap:///uid=NDAUser,ou=config,
<OrgRoot>";)
#
#-----------------------------------
# Service Administrator access control
#
# Allow read and search access to all DCROOT nodes
#
aci: (targetattr="*") (version 3.0; acl "SA root node access -
product=ims5.0,class=nda,num=3,version=1"; allow (all)
groupdn="ldap:///cn=Service Administrators,ou=Groups,<OrgRoot>";)
#
#-----------------------------------
# Domain Administrator control.
#
# Deny write and delete access to any domain container node.
#
aci: (targetfilter="objectclass=nsManagedDomain") (version 3.0; acl
"Domain Admin domain container access -
product=ims5.0,class=nda,num=5,version=1"; deny (delete,write)
userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Domain Administrators*)" or
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Domain Administrators*)";)
#
#-----------------------------------
# User access control
#
# Allow read and search access to self
#
aci: (targetattr="*") (targetfilter=(objectClass=inetOrgPerson)) (version
3.0; acl "User self search and read - product=ims5.0,class=nda,num=6,
version=1"; allow (read,search) userdn="ldap:///self";)
#
# Allow write access to self
#
aci: (targetattr="*") (version 3.0; acl "Allow self entry modification -
product=ims5.0,class=nda,num=7,version=1";
allow (write) userdn = "ldap:///self";)
#
# Deny write access to self for uid, ou, owner,
# nsDAModifiableBy, nsDACapability, mail, mailAlternateAddress,
# memberOf, and nsDADomain attributes
#
aci: (targetattr="uid\|\|ou\|\|owner\|\|nsDAModifiableBy\|\|nsDACapability\|\|
mail\|\|mailAlternateAddress\|\|memberOf\|\|nsDADomain\|\|inetuserstatus\|\|
mailuserstatus\|\|memberOfManagedGroup\|\|mailQuota\|\|mailMsgQuota\|\|
inetSubscriberAccountId\|\|dataSource\|\|mailhost\|\|mailAllowedServiceAccess
\|\|pabURI\|\|inetCOS") (targetfilter=(objectClass=nsManagedPerson))
(version 3.0; acl "User self modification - product=ims5.0,class=nda,
num=8,version=1"; deny (write) userdn = "ldap:///self" and
userdn != "ldap:///<OrgRoot>??sub?(memberOf=cn=Domain Administrators*)"
and userdn !=
"ldap:///<DCRoot>??sub?(memberOf=cn=Domain Administrators*)"
and groupdn != "ldap:///cn=Service Administrators,ou=groups,<OrgRoot>";)
#
# Deny delete access to self
#
aci: (targetfilter=(objectClass=inetOrgPerson)) (version 3.0; acl
"User self deletion - product=ims5.0,class=nda,num=9,version=1";
deny (delete) userdn="ldap:///self";)
#
#-----------------------------------
# Mail List access control
#
# Allow designated users to create mail lists
#
aci: (targetattr="*")(targetfilter=(objectClass=inetMailGroupManagement))
(version 3.0; acl "Mail list create access - product=ims5.0,class=nda,
num=10,version=1"; allow (add)
userdn="ldap:///<OrgRoot>??sub?(nsDACapability=mailListCreate)";)
#
# Allow maillist owner read, search, write, and delete access
# to the maillists s/he owns except for the nsMaxUsers attr
#
aci: (targetattr="") (targetfilter=(objectClass=inetMailGroupManagement)) version 3.0; acl "Mail list owner access - product=ims5.0,class=nda,num=11, version=1"; allow (read,search,write,delete) groupdnattr="ldap:///<OrgRoot*>?owner";)
#
#-----------------------------------
# Family Group Administrator access control
#
# family group read access
#
aci: (targetattr="*") (targetfilter=(objectClass=inetManagedGroup))
(version 3.0; acl "Family Group Adm group read & search access -
product=ims5.0,class=nda,num=12,version=1"; allow (read,search)
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Family Group
Administrators)" and groupdnattr="ldap:///<OrgRoot*>?nsDAModifiableBy";)
#
# family group write access for 'description' attribute
#
aci: (targetattr="description")
(targetfilter=(objectClass=inetManagedGroup))
(version 3.0; acl "Family Group Adm description write access -
product=ims5.0,class=nda,num=13,version=1"; allow (write)
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Family Group
Administrators)" and groupdnattr="ldap:///<OrgRoot*>?nsDAModifiableBy";)
#
# family group write access for 'mnggrpCurrentUsers' attribute
#
aci: (targetattr="mnggrpCurrentUsers")
(targetfilter=(objectClass=inetManagedGroup)) (version 3.0; acl "Family
Group Adm description write access - product=ims5.0,class=nda,num=14,
version=1"; allow (write)
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Family Group
Administrators)" and groupdnattr="ldap:///<OrgRoot*>?nsDAModifiableBy";)
#
# family member create,delete,modify permissions
#
aci: (targetattr="*") (targetfilter=(objectClass=nsManagedPerson))
(version 3.0;acl "Family Group Adm member access - product=ims5.0,
class=nda, num=15,version=1"; allow (add,read,search,write,delete)
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Family Group
Administrators)" and groupdnattr="ldap:///<OrgRoot*>?nsDAModifiableBy";)
#
# access to add,remove family admins of the same admin group
#
aci: (targetattr="uniquemember")
(targetfilter=(&(\|(objectClass=nsManagedDept)
(objectClass=nsManagedDeptAdminGroup))(cn=Family Group
Administrators*))) (version 3.0;acl "Family Group Adm admin write
access - product=ims5.0,class=nda,num=16,version=1"; allow (write)
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Family Group
Administrators)" and groupdnattr="ldap:///<OrgRoot*>?uniquemember";)
#
# access to add,remove memberof attribute
#
aci: (targetattr="memberOf") (targetfilter=(objectClass=nsManagedPerson))
(version 3.0;acl "Family Adm user access -
product=ims5.0,class=nda,num=17,version=1"; allow (write)
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Family Group
Administrators)" and groupdnattr="ldap:///<OrgRoot*>?nsDAModifiableBy";)
#
#-----------------------------------
# Domain Organization Administrator
#
# access to the Domain Organization nodes.
#
aci: (targetattr="*") (targetfilter=(objectClass=inetdomainorg))(version
3.0; acl "Domain Organization Administrator - Dom Org node read & search
access - product=ims5.0,class=nda,num=21,version=1"; allow (read,search)
groupdnattr="ldap:///<OrgRoot>?nsDAModifiableBy";)
#
# write access for selected attribute
#
aci: (targetattr="description\|\|domOrgMaxUsers")
(targetfilter=(objectClass=inetdomainorg)) (version 3.0; acl "Domain
Organization Administrator - Dom Org node write access -
product=ims5.0,class=nda,num=22,version=1"; allow (write)
groupdnattr="ldap:///<OrgRoot>?nsDAModifiableBy";)

dn: <DCRoot> changetype: modify
add: aci
#-----------------------------------
#
# iDA User access control
#
# Allow read and search access to all attributes in all entries
#
aci: (targetattr="") (version 3.0; acl "NDAUser access - product=ims5.0,class=nda,num=1,version=1"; allow (read,search) userdn="ldap:///uid=NDAUser,ou=config,<OrgRoot*>";)
#
# Allow write access to nsNum* attributes of all domain entries
#
aci: (targetattr="nsNumUsers\|\|nsNumDepts\|\|nsNumMailLists\|\|nsNumDomains")
(version 3.0; acl "NDAUser access - product=ims5.0,class=nda,num=2,
version=1"; allow (write) userdn="ldap:///uid=NDAUser,
ou=config,<OrgRoot>";)
#
#-----------------------------------
# Service Administrator access control
#
# Allow read and search access to all DCROOT nodes
#
aci: (targetattr="*") (version 3.0; acl "SA root node access -
product=ims5.0,class=nda,num=3,version =1"; allow (all)
groupdn="ldap:///cn=Service Administrators,ou=Groups,<OrgRoot>";)
#
#-----------------------------------
# Domain Administrator control.
#
# Access to dcroot to search for domain components
#
aci: (targetattr="*") (version 3.0; acl "Domain Admin dc root access -
product=ims5.0,class=nda,num=4 ,version=1"; allow (read,search)
userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Domain Administrators*)" or
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Domain Administrators*)";)
#
# Deny write and delete access to any domain container node.
#
aci: (targetfilter="objectclass=nsManagedDomain") (version 3.0; acl
"Domain Admin domain container access -
product=ims5.0,class=nda,num=5,version=1"; deny (delete,write)
userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Domain Administrators*)" or
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Domain Administrators*)";)
#
#-----------------------------------
# User access control
#
# Allow read and search access to self
#
aci: (targetattr="*") (targetfilter=(objectClass=inetOrgPerson)) (version
3.0; acl "User self search and read - product=ims5.0,class=nda, num=6,
version=1"; allow (read,search) userdn="ldap:///self";)
#
# Allow write access to self
#
aci: (targetattr = "*") (version 3.0; acl "Allow self entry modification
- product=ims5.0,class=nda,num=7,version=1"; allow (write) userdn =
"ldap:///self";)
#
# Deny write access to self for uid, ou, owner,
# nsDAModifiableBy, nsDACapability, mail, mailAlternateAddress,
# memberOf, and nsDADomain attributes
#
aci: (targetattr="uid\|\|ou\|\|owner\|\|nsDAModifiableBy\|\|nsDACapability\|\|
mail\|\|mailAlternateAddress\|\|memberOf\|\|nsDADomain\|\|inetuserstatus\|\|
mailuserstatus\|\|memberOfManagedGroup\|\|mailQuota\|\|mailMsgQuota\|\|
inetSubscriberAccountId\|\|dataSource\|\|mailhost\|\|mailAllowedServiceAccess \|\|pabURI\|\|inetCOS") (targetfilter=(objectClass=nsManagedPerson))
(version 3.0; acl "User self modification - product=ims5.0,class=nda,
num=8, version=1"; deny (write) userdn = "ldap:///self" and userdn
!= "ldap:///<DCRoot>??sub?(memberOf=cn=Domain Administrators*)" and
userdn != "ldap:///<OrgRoot>??sub?(memberOf=cn=Domain Administrators*)"
and groupdn != "ldap:///cn=Service Administrators,ou=groups,<OrgRoot>";)
#
# Deny delete access to self
#
aci: (targetfilter=(objectClass=inetOrgPerson)) (version 3.0; acl "User
self deletion - product=ims5.0,class=nda,num=9,version=1"; deny (delete) userdn="ldap:///self";)
#
#-----------------------------------
# Mail List access control
#
# Allow designated users to create mail lists
#
aci: (targetattr="") (targetfilter=(objectClass=inetMailGroupManagement)) (version 3.0; acl "Mail list create access - product=ims5.0,class=nda, num=10, version=1"; allow (add) userdn="ldap:///<DCRoot*>??sub?(nsDACapability=mailListCreate)";)
#
# Allow maillist owner read, search, write, and delete access
# to the maillists s/he owns except for the nsMaxUsers attr
#
aci: (targetattr="") (targetfilter=(objectClass=inetMailGroupManagement)) (version 3.0; acl "Mail list owner access - product=ims5.0,class=nda,num=11,version=1"; allow (read,search,write,delete) groupdnattr="ldap:///<DCRoot*>?owner";)
#
#-----------------------------------
# Family Group Administrator access control
#
# family group read access
#
aci: (targetattr="*") (targetfilter=(objectClass=inetManagedGroup)) (version 3.0; acl "Family Group Adm group read & search access -
product=ims5.0 ,class=nda,num=12,version=1"; allow (read,search)
userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Family Group
Administrators)" and groupdnattr="ldap:///<DCRoot*>?nsDAModifiableBy";)
#
# family group write access for 'description' attribute
#
aci: (targetattr="description")
(targetfilter=(objectClass=inetManagedGroup)) (version 3.0; acl "Family
Group Adm description write access -
product=ims5.0,class=nda,num=13,version=1"; allow (write)
userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Family Group
Administrators)" and groupdnattr="ldap:///<DCRoot*>?nsDAModifiableBy";)
#
# family group write access for 'mnggrpCurrentUsers' attribute
#
aci: (targetattr="mnggrpCurrentUsers")
(targetfilter=(objectClass=inetManagedGroup)) (version 3.0; acl "Family
Group Adm description write access -
product=ims5.0,class=nda,num=14,version=1"; allow (write)
userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Family Group
Administrators)" and groupdnattr="ldap:///<DCRoot*>?nsDAModifiableBy";)
#
# family member create,delete,modify permissions
#
aci: (targetattr="*") (targetfilter=(objectClass=nsManagedPerson))
(version 3.0;acl "Family Group Adm member access -
product=ims5.0,class=nda,num=15,version=1"; allow
(add,read,search,write,delete)
userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Family Group
Administrators)" and groupdnattr="ldap:///<DCRoot*>?nsDAModifiableBy";)
#
# access to add,remove family admins of the same admin group
#
aci: (targetattr="uniquemember")
(targetfilter=(&(\|(objectClass=nsManagedDept)(objectClass=nsManagedDept
AdminGroup))(cn=Family Group Administrators*))) (version 3.0;acl "Family
Group Adm admin write access - product=ims5.0,class=nda,num=16,
version=1"; allow (write) userdn="ldap:///<DCRoot>??sub?(memberOf=cn=
Family Group Administrators*)" and
groupdnattr="ldap:///<DCRoot>?uniquemember";)
#
# access to add,remove memberof attribute
#
aci: (targetattr="memberOf") (targetfilter=(objectClass=nsManagedPerson))
(version 3.0;acl "Family Adm user access - product=ims5.0,class=nda,
num=17,version=1"; allow (write)
userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Family Group
Administrators)" and groupdnattr="ldap:///<DCRoot*>?nsDAModifiableBy";)
#
# Family Admin needs to read domain to get the dn
#
aci: (targetattr="objectclass\|\|preferredmailhost\|\|
preferredmailmessagestore") (targetfilter=(objectClass=domain)) (version
3.0;acl "Family Adm domain access - product=ims5.0,class=nda,num=18,
version=1"; allow (read,search)
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Family Group
Administrators)" or userdn="ldap:///<DCRoot*>??sub?(memberOf=cn=Family
Group Administrators*)";)
#
#-----------------------------------
# Domain Organization Administrator
#
# Allow domain organization administrators to read the
# attributes from the dc tree.
#
aci: (targetattr="objectclass\|\|preferredmailhost\|\|
preferredmailmessagestore\|\|dc") (targetfilter=(objectClass=domain))
(version 3.0;acl "Domain Organization Admin domain access -
product=ims5.0,class=nda,num=20,version=1"; allow (read,search)
userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Domain Organization
Administrators)" or userdn="ldap:///<OrgRoot*>??sub?(memberOf=cn=Domain
Organization Administrators*)";)
#
# access to the Domain Organization nodes.
#
aci: (targetattr="*") (targetfilter=(objectClass=inetdomainorg))(version
3.0; acl "Domain Organization Administrator - Dom Org node read & search
access - product=ims5.0,class=nda,num=21,version=1"; allow (read,search)
groupdnattr="ldap:///<DCRoot>?nsDAModifiableBy";)
#
# write access for selected attribute
#
aci: (targetattr="description\|\|domOrgMaxUsers")
(targetfilter=(objectClass=inetdomainorg))(version 3.0; acl "Domain
Organization Administrator - Dom Org node write access -
product=ims5.0,class=nda,num=22,version=1"; allow (write)
groupdnattr="ldap:///<DCRoot>?nsDAModifiableBy";)

dn: <OrgNodeDN>
changetype: modify
add: aci
#
#-----------------------------------
# Domain Administrator access control
#
# allow full access to the domains user/group subtree
#
aci: (targetattr="*") (version 3.0; acl "Domain Admin Domain access -
product=ims5.0,class=nda,num=18,version=1"; allow (all)
groupdn="ldap:///cn=Domain Administrators,ou=Groups,<OrgNodeDN>";)
#
#-----------------------------------
# End user access control
# allow users to read and search all users in the domain
#
aci: (targetattr!="userPassword")
(targetfilter=(\|(objectClass=inetOrgPerson)(objectclass=nsManagedDomain
))) (version 3.0; acl "User access to all users in domain -
product=ims5.0,class=nda,num=19,version=1"; allow (read,search)
userdn="ldap:///<OrgNodeDN>??sub?(objectclass=inetOrgPerson)";)
#
# allow users to add themselves to self subscribe mail lists
#
aci: (targetattr="uniqueMember")
(targetfilter=(&(objectClass=nsManagedMailList)
(\|(mgmanJoinability=anyone)(mgmanJoinability=all))))
(version 3.0; acl "User mail list self subscribe access -
product=ims5.0,class=nda,num=20,version=1"; allow (selfwrite)
userdn="ldap:///<OrgNodeDN>??sub?(objectclass=inetOrgPerson)";)
#
# hide group members when they are marked hidden
#
aci: (targetattr!="uniqueMember\|\|mgrpRfc822MailMember")
(targetfilter=(&(objectClass=inetMailGroupManagement)
(mgmanHidden=false))) (version 3.0; acl "User mail list access when
visible - product=ims5.0,class=nda,num=21,version=1"; allow
(read,search)
userdn="ldap:///<OrgNodeDN>??sub?(objectclass=inetOrgPerson)";)
#
# hide group members when they are marked hidden
#
aci: (targetattr="uniqueMember\|\|mgrpRfc822MailMember")
(targetfilter=(&(objectClass=inetMailGroupManagement)
(\|(mgmanMemberVisibility=anyone)(mgmanMemberVisibility=all)))) (version
3.0; acl "User mail list member access -
product=ims5.0,class=nda,num=22,version=1"; allow (read,search)
userdn="ldap:///<OrgNodeDN>??sub?(objectclass=inetOrgPerson)";)

dn: <DCNodeDN>
changetype: modify
add: aci
#
#-----------------------------------
# Domain Administrator access to iCS attributes
#
aci: (targetattr="icsTimeZone\|\|icsMandatorySubscribed\|\|
icsMandatoryView\|\|icsDefaultAccess\|\|icsRecurrenceBound\|\|
icsRecurrenceDate\|\|icsAnonymousLogin\|\|icsAnonymousAllowWrite\|\|
icsAnonymousCalendar\|\|icsAnonymousSet\|\|icsAnonymousDefaultSet\|\|
icsSessionTimeout\|\|icsAllowRights\|\|icsExtended\|\|
icsExtendedDomainPrefs")(targetfilter=(objectClass=icsCalendarDomain))
(version 3.0; acl "Domain Adm calendar access - product=ims5.0,
class=nda,num=16,version=1"; allow (all) groupdn="ldap:///cn=Domain
Administrators,ou=Groups,<OrgNodeDN>";)

dn: <DomainOrgNodeDN>
changetype: modify
add: aci
#
# Rights to modify, add, delete users
#
aci: (target="ldap:///uid=,ou=people,<DomainOrgNodeDN*>")
(targetattr ="*")
(targetfilter=(objectclass=organizationalPerson))
(version 3.0; acl "Domain Organization Admin User add,delete,write -
product=ims5.0,class=nda,num=201,version=1";
allow (add,write,delete)
groupdn="ldap:///cn=Domain Organization
Administrators,<DomainOrgNodeDN>";)
#
# Rights to modify, add, delete mailing lists.
#
aci: (target="ldap:///cn=,ou=groups,<DomainOrgNodeDN*>")
(targetattr ="*")
(targetfilter=(objectclass=inetMailGroup))
(version 3.0; acl "Domain Organization Admin User add,delete,write -
product=ims5.0,class=nda,num=202,version=1";
allow (add,write,delete)
groupdn="ldap:///cn=Domain Organization
Administrators,<DomainOrgNodeDN>";)

Previous Contents Index Next
Copyright © 2002 Sun Microsystems, Inc. All rights reserved.

Last Updated February 13, 2002