Directory Server provides several security features to achieve compliance with information security policies. These features ensure that only users with proper authorization have access to information.
Macro-level, dynamic access control instructions (ACIs). Provide a means for defining access down to the level of an LDAP attribute. Access control policies can be defined once, and then reused across the directory tree. Macro ACIs can be used to optimize the number of ACIs in the directory, thereby reducing the complexity of the security framework.
Role-based access. Enables you to provide access that is based on information in a user's entry. Roles are defined and administered like groups, but roles provide more efficient grouping mechanisms for applications. Roles can be used in ACIs to control access to data. They can also be used by Class of Service (CoS), a capability of Directory Server to create virtual attributes that can apply to many entries at the same time. These virtual attributes reduce storage requirements on entries. They also allow a single change to update an unlimited number of related entries.
Get Effective Rights control. Provides a means for determining what access a user has to a set of information. Administrators who maintain access policies for the directory service can tighten security by auditing the permissions of directory users and applications. This capability can also be used to build applications with adaptive interfaces that are based on the user's rights.
Encryption mechanisms. Protect data on the disk and during transfer through communications channels. Directory Server also supports fractional replication and data hiding based on access. These mechanisms can be used to comply with European Union and other international privacy regulations.
Multiple password policies. Can be defined on a per-user basis or targeted to certain groups. These policies help to ensure that users change passwords on a regular basis and that unauthorized access to an account is blocked.