access control

Access control provides a mechanism for restricting who can get access to various kinds of information in the Directory Server. The access control provider can be used to control a number of things, including:

• Whether or not a client can retrieve an entry from the server.

• Which attributes within the entry the client is allowed to retrieve.

• Which values of an attribute the client is allowed to retrieve.

• The ways in which the client is able to manipulate data in the directory.

A number of things can be taken into account when making access control decisions, including:

• The DN as whom the user is authenticated.

• The method by which the client authenticated to the server.

• Any groups in which that user is a member.

• The contents of the authenticated user's entry.

• The contents of the target entry.

• The address of the client system.

• Whether or not the communication between the client and server is secure.

• The time of day and/or day of week of the attempt.

See Controlling Access To Data in Sun OpenDS Standard Edition 2.0 Administration Guide for details on the access control syntax.

In addition to the access control subsystem, the directory server also provides a privilege that can be used to control what a user will be allowed to do. One of the privileges available is the bypass-acl privilege, which can be used to allow that client to bypass any restrictions that the access control subsystem would otherwise enforce.