Miscellaneous ACIs
ACI 1:
aci: (target="ldap:///cn=schema")(targetattr="*") (version 3.0; acl "S1IS Proxy user rights"; allow (proxy) userdn = "ldap:///cn=puser,ou=DSAME Users,ORG_ROOT_SUFFIX"; )
This ACI states that the DN cn=puser has proxy rights to access the target directory entry that contains all the schema information for the server (that is cn=schema). It has the rights of Directory Manager entry (cn=Directory Manager) to do this. (Only Directory Manager has write permission on the schema and no other user has write permission on the schema.)
In other words, the proxy user DN (cn=puser) gains access to the cn=schema subtree using the same access permissions as the Directory Manager. With this ACI in place, the puser can bind to the directory and send an LDAP command such as ldapsearch or ldapmodify that requires the access rights of the Directory Manager.
ACI 2:
aci: (target="ldap:///ROOT_SUFFIX")(targetattr="*") (version 3.0; acl "S1IS Proxy user rights"; allow (proxy) userdn = "ldap:///cn=puser,ou=DSAME Users,ORG_ROOT_SUFFIX"; )
This ACI states that the DN cn=puser has proxy rights to access the target directory entry which is the top organization or root node. It has the rights of Directory Manager entry (cn=Directory Manager) to do this. In other words, the proxy user DN (cn=puser) gains access to the top organization or root node using the same access permissions as the Directory Manager. With this ACI in place, the puser can bind to the directory and send an LDAP command such as ldapsearch or ldapmodify that requires the access rights of the Directory Manager.
ACI 3:
aci: (target="ldap:///ROOT_SUFFIX") (targetattr="*")(version 3.0; acl "S1IS special ldap auth user rights"; allow (read,search) userdn = "ldap:///cn=amldapuser,ou=DSAME Users,ORG_ROOT_SUFFIX"; )
This ACI states that the DN cn=amldapuser has only read and search rights to all entries under the target directory entry as well the target directory entry which is the top organization or root node. In other words, the amldapuser DN (cn=amldapuser) has read and search rights to the targeted entry. amldapuser is the bind DN user for LDAP Authentication, Membership, and Policy services. This user has read and search access to all Directory Server entries.
ACI 4:
aci: (target="ldap:///ROOT_SUFFIX") (targetattr="*") (version 3.0; acl "S1IS special dsame user rights for all under the root suffix"; allow (all) userdn = "ldap:///cn=dsameuser,ou=DSAME Users,ORG_ROOT_SUFFIX"; )
This ACI states that the DN cn=dsameuser has all rights to access all entries under the target directory entry as well the target directory entry which is the top organization or root node. In other words, the dsameuser DN (cn=dsameuser) has all rights (read, write, search, delete, compare, and selfwrite) to the targeted entry, except proxy rights. dsameuser retrieves the LDAP configuration (for users, organizations, policies, services, agents, etc.) for the Access Manager SDK. The Directory Server administrator (by default uid=admin,ou=Administrators, ou=TopologyManagement,o=NetscapeRoot ) has all rights except proxy rights.
ACI 5:
aci: (targetattr="iplanet-am-saml-user || iplanet-am-saml-password") (targetfilter="(objectclass=iplanet-am-saml-service)")(version 3.0; acl "S1IS Right to modify saml user and password"; deny (all) (roledn != "ldap:///cn=Top-level Admin Role,ROOT_SUFFIX") AND (userdn != "ldap:///cn=dsameuser,ou=DSAME Users,ORG_ROOT_SUFFIX") AND (userdn != "ldap:///cn=puser,ou=DSAME Users,ORG_ROOT_SUFFIX"); )
Only special users (such as dsameuser, proxyuser, or top-level admin) can configure the SAML service at the global level. SAML service attributes and values are added as key/value pair for the trusted partners Trusted Partner Sites in the console using the edit button and the passwords are not encrypted. Liberty and SAML does not want all users to see the values in clear text. This ACI denies access to SAML Service for all users but gives permission to members who belong to the Top-Level Admin role and puser and dsameuser.
ACI 6:
aci: (target="ldap:///ou=services,ROOT_SUFFIX") (targetfilter=(!(objectclass=sunServiceComponent))) (targetattr = "*")(version 3.0; acl "S1IS Services anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
This ACI allows anyone anonymous read, search, and compare access to the Service Schema, which is defined under the ou=services node of the tree. But this ACI does not allow anyone read, search, or compare access to the Service Configuration entries (Deny if objectclass=sunServiceComponent. That is, deny access to Service Configuration).
ACI 7:
aci: (target="ldap:///ou=iPlanetAMAdminConsoleService,*,ROOT_SUFFIX") (targetattr = "*")(version 3.0; acl "S1IS iPlanetAMAdminConsoleService anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
This ACI allows anonymous read, search, and compare access to all the attributes under ou=iPlanetAMAdminConsoleService node of the tree. In an Access Manager 6 2005Q1 (6.3) and Access Manager 7 2005Q4 Legacy Mode installation, the console service (iPlanetAMConsoleService) can be under any Organization, and it is not restricted to be only under the root suffix. This ACI facilitates the privilege of reading this service for any Organization.
Important: Consider the potential performance impact of evaluation of this ACI.
ACI 8:
aci: (target="ldap:///cn=Top-level Admin Role,ROOT_SUFFIX") (targetattr="*")(version 3.0; acl "S1IS Top-level admin delete right denied"; deny (delete) userdn = "ldap:///anyone"; )
Any user or users with anonymous access cannot delete the members of Top-Level Admin Role.
ACI 9:
aci: (target="ldap:///ROOT_SUFFIX") (targetfilter=(entrydn=ORG_ROOT_SUFFIX))(targetattr="*") (version 3.0; acl "S1IS Default Organization delete right denied"; deny (delete) userdn = "ldap:///anyone"; )
Any user or users with anonymous access cannot delete the top level default organization.
- © 2010, Oracle Corporation and/or its affiliates