Group Admin Role ACIs (Technical Note: Sun Java System Access Manager ACI Guide)

Technical Note: Sun Java System Access Manager ACI Guide

Group Admin Role ACIs

ACI 1 example:

aci=(target="ldap:///ou=People,dc=iplanet,dc=com") (targetattr="nsroledn")
(targattrfilters="add=nsroledn:(!(nsroledn=*)),del=nsroledn:(!(nsroledn=*))")
(version 3.0; acl "Group admin's  right to add user to people container"; allow (add) 
roledn ="ldap:///cn=cn=blach_ou=Groups_dc=iplanet_dc=com,dc=iplanet,dc=com";)

ACI 2 example:

aci=(target="ldap:///cn=blach,ou=Groups, dc=iplanet,dc=com")
(targetattr = "*") (version 3.0; acl "Group and people container admin role"; 
allow (all) 
roledn = "ldap:///cn=cn=blach_ou=Groups_dc=iplanet_dc=com,dc=iplanet,dc=com";)

ACI 3 example:

aci=(target="ldap:///dc=iplanet,dc=com")
(targetfilter=(!(|(!(|(memberof=*cn=blach,ou=Groups, dc=iplanet,dc=com)
(iplanet-am-static-group-dn=*cn=blach,ou=Groups,dc=iplanet,dc=com)))
(|(nsroledn=cn=Top-level Admin Role,dc=iplanet,dc=com)
(nsroledn=cn=Top-level Help Desk Admin Role,dc=iplanet,dc=com)
(nsroledn=cn=Top-level Policy Admin Role,dc=iplanet,dc=com)
(nsroledn=cn=Organization Admin Role,dc=iplanet,dc=com)
(nsroledn=cn=Container Admin Role,dc=iplanet,dc=com)
(nsroledn=cn=Organization Policy Admin Role,dc=iplanet,dc=com)))))
(targetattr  != "iplanet-am-web-agent-access-allow-list 
||iplanet-am-web-agent-access-not-enforced-list || iplanet-am-domain-url-access-allow 
|| iplanet-am-web-agent-access-deny-list || nsroledn")
(version 3.0; acl  "Group admin's right to the members"; allow (read,write,search) 
roledn  = "ldap:///cn=cn=blach_ou=Groups_dc=iplanet_dc=com,dc=iplanet,dc=com";)