Root Suffix
-------------------------------------------------------------------------------------------------------------
dn: $rootSuffix # # consolidate # aci: (targetattr != “nsroledn || aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry || passwordExpirationTime || passwordExpWarned || passwordRetryCount || retryCountResetTime || accountUnlockTime || passwordHistory || passwordAllowChangeTime”) (version 3.0; acl “Allow self entry modification except for nsroledn, aci, resource limit attributes, passwordPolicySubentry and password policy state attributes”; allow (write) userdn =”ldap:///self”;)
Action: Consolidate.
There is no requirement for self access to this suffix. This ACI is duplicated; it can be incorporated into the self ACIs on the root suffix.
------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # retain # aci: (targetattr = “*”) (version 3.0; acl “Configuration Administrator”; allow (all) userdn = “ldap:///uid=admin, ou=Administrators, ou=TopologyManagement,o=NetscapeRoot”;)
Action: Retain.
This is the “admin” user who would authenticate via Pass-Through Authentication to the slapd-config instance. If all configuration is to be performed as Directory Manager, using comm and line utilities, this ACI is not required. On the chance that someone needs to authenticate to the console as this user, this ACI can be kept here. Similar ACIs can be removed.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # discard # aci: (targetattr =”*”) (version 3.0;acl “Configuration Administrators Group”; allow (all) (groupdn = “ldap:///cn=Configuration Administrators, ou=Groups, ou=TopologyManagement, o=NetscapeRoot”);)
Action: Discard on all DB back-ends.
This is the “Configuration Administrators” group that would have privileges if the console were being used to delegate server-administration privileges.
------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # discard # aci: (targetattr =”*”) (version 3.0;acl “Directory Administrators Group”; allow (all) (groupdn = “ldap:///cn=Directory Administrators, $rootSuffix”);)
Action: Discard on all DB back-ends.
This is the general “Directory Administrators” group privilege definition.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # discard # aci: (targetattr = “*”) (version 3.0; acl “SIE Group”; allow (all) groupdn = “ldap:///cn=slapd-whater, cn=Sun ONE Directory Server, cn=Server Group, cn=whater.red.iplanet.com, ou=red.iplanet.com, o=NetscapeRoot”;)
Action: Discard on all DB back-ends.
This is a Console/Administration server-related group privilege definition.
-------------------------------------------------------------------------------------------------------------
Access Manager
-------------------------------------------------------------------------------------------------------------
# retain # aci: (target=”ldap:///$rootSuffix”) (targetattr=”*”) (version 3.0; acl “S1IS Proxy user rights”; allow (proxy) userdn = “ldap:///cn=puser,ou=DSAME Users,$rootSuffix”; )
Action: Retain.
This ACI grants access to a system user for Access Manager.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # retain # aci: (target=”ldap:///$rootSuffix”) (targetattr=”*”) (version 3.0; acl “S1IS special dsame user rights for all under the root suffix”; allow (all) userdn = “ldap:///cn=dsameuser,ou=DSAME Users,$rootSuffix”; )
Action: Retain.
This ACI grants access to a system user for Access Manager.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # retain # aci: (target=”ldap:///$rootSuffix”)(targetattr=”*”)| (version 3.0;acl “S1IS special ldap auth user rights”; allow (read,search) userdn = “ldap:///cn=amldapuser,ou=DSAME Users,$rootSuffix”; )
Action: Retain.
This ACI grants access to a system user for Access Manager.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # discard # aci: (target=”ldap:///cn=amldapuser,ou=DSAME Users,$rootSuffix”) (targetattr = “*”) (version 3.0; acl “S1IS special ldap auth user modify right”; deny (write) roledn != “ldap:///cn=Top-level Admin Role,$rootSuffix”;)
Action: Discard.
This ACI prevents the Top-Level Administrator (TLA) from modifying the amldapuser account.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # retain # aci: (target=”ldap:///$rootSuffix”) (targetattr=”*”) (version 3.0; acl “S1IS Top-level admin rights”; allow (all) roledn = “ldap:///cn=Top-level Admin Role,$rootSuffix”; )
Action: Retain.
This ACI grants access to the Top-Level Administrator role.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # discard # aci: (targetattr=”iplanet-am-saml-user || iplanet-am-saml-password”) (targetfilter=”(objectclass=iplanet-am-saml-service)”) (version 3.0; acl “S1IS Right to modify saml user and password”; deny (all) (roledn != “ldap:///cn=Top-level Admin Role,$rootSuffix”) AND (userdn != “ldap:///cn=dsameuser,ou=DSAME Users,$rootSuffix”) AND (userdn != “ldap:///cn=puser,ou=DSAME Users,$rootSuffix”); )
Action: Discard.
This ACI protects SAML-related attributes.
-------------------------------------------------------------------------------------------------------------
Top-level Help Desk Admin Role
-------------------------------------------------------------------------------------------------------------
# # discard # aci: (target=”ldap:///$rootSuffix”) (targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix))) (targetattr = “*”) (version 3.0; acl “S1IS Top-level Help Desk Admin Role access allow”; allow (read,search) roledn = “ldap:///cn=Top-level Help Desk Admin Role,$rootSuffix”;)
Action: Discard.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # discard # aci: (target=”ldap:///$rootSuffix”) (targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix))) (targetattr = “userPassword”) (version 3.0; acl “S1IS Top-level Help Desk Admin Role access allow”; allow (write) roledn = “ldap:///cn=Top-level Help Desk Admin Role,$rootSuffix”;)
Action: Discard.
-------------------------------------------------------------------------------------------------------------
Top-level Policy Admin Role
-------------------------------------------------------------------------------------------------------------
# # discard # aci: target=”ldap:///$rootSuffix”) (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)))) (targetattr = “*”) (version 3.0; acl “S1IS Top-level Policy Admin Role access allow”; allow (read,search) roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)
Action: Discard.
This ACI pertains to the Top-level Policy Admin role.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # discard # aci: (target=”ldap:///ou=iPlanetAMAuthService,ou=services,*$rootSuffix”) (targetattr = “*”) (version 3.0; acl “S1IS Top-level Policy Admin Role access Auth Service deny”; deny (add,write,delete) roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)
Action: Discard.
This ACI pertains to the Top-level Policy Admin role.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # discard # aci: (target=”ldap:///ou=services,*$rootSuffix”) (targetattr = “*”) (version 3.0; acl “S1IS Top-level Policy Admin Role access allow”; allow (all) roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)
Action: Discard.
This ACI pertains to the Top-level Policy Admin role.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # discard # aci: (target=”ldap:///$rootSuffix”) (targetfilter=”(objectclass=sunismanagedorganization)”) (targetattr = “sunRegisteredServiceName”) (version 3.0; acl “S1IS Top-level Policy Admin Role access allow”; allow (read,write,search) roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)
Action: Discard.
This ACI pertains to the Top-level Policy Admin role.
-------------------------------------------------------------------------------------------------------------
AM Self
-------------------------------------------------------------------------------------------------------------
# # consolidate # aci: (targetattr = “*”) (version 3.0; acl “S1IS Deny deleting self”; deny (delete) userdn =”ldap:///self”;)
Action: Consolidate into a single self-write ACI. The explicit deny is not required, since end users do not have permission to delete any entry, including themselves.
This is one of several ACIs that set self-privileges. The explicit deny prevents any entry from deleting itself.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # consolidate # aci: (targetattr = “objectclass || inetuserstatus || iplanet-am-user-login-status || iplanet-am-web-agent-access-allow-list || iplanet-am-domain-url-access-allow || iplanet-am-web-agent-access-deny-list || iplanet-am-user-account-life || iplanet-am-session-max-session-time || iplanet-am-session-max-idle-time || iplanet-am-session-get-valid-sessions || iplanet-am-session-destroy-sessions || iplanet-am-session-add-session-listener-on-all-sessions || iplanet-am-user-admin-start-dn || iplanet-am-auth-post-login-process-class”) (targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix))) (version 3.0; acl “S1IS User status self modification denied”; deny (write) userdn =”ldap:///self”;)
Action: Consolidate into a single self-write ACI.
This is one of several ACIs that set self-write privileges.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # consolidate # aci: (targetattr != “iplanet-am-static-group-dn || uid || nsroledn || aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || memberOf || iplanet-am-web-agent-access-allow-list || iplanet-am-domain-url-access-allow || iplanet-am-web-agent-access-deny-list”) (version 3.0; acl “S1IS Allow self entry modification except for nsroledn, aci, and resource limit attributes”; allow (write) userdn =”ldap:///self”;)
Action: Consolidate into a single self-write ACI.
This is one of several ACIs that set privileges.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # consolidate # aci: (targetattr != “aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || iplanet-am-domain-url-access-allow”) (version 3.0; acl “S1IS Allow self entry read search except for nsroledn, aci, resource limit and web agent policy attributes”; allow (read,search) userdn =”ldap:///self”;)
Action: Consolidate into a single self-write ACI.
This is one of several ACIs that set self-write privileges.
-------------------------------------------------------------------------------------------------------------
AM Anonymous
-------------------------------------------------------------------------------------------------------------
# # consolidate # aci: (target=”ldap:///ou=services,$rootSuffix”) (targetfilter=(!(objectclass=sunServiceComponent))) (targetattr = “*”) (version 3.0; acl “S1IS Services anonymous access”; allow (read, search, compare) userdn = “ldap:///anyone”;)
Action: Consolidate into a single anonymous ACI.
This is one of several ACIs that grant anonymous privileges.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # consolidate # aci: (target=”ldap:///ou=iPlanetAMAdminConsoleService,*,$rootSuffix”) (targetattr = “*”) (version 3.0; acl “S1IS iPlanetAMAdminConsoleService anonymous access”; allow (read, search, compare) userdn = “ldap:///anyone”;)
Action: Consolidate into a single anonymous ACI.
This is one of several ACIs that grant anonymous privileges.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # discard # aci: (target=”ldap:///$rootSuffix”) (targetfilter=(entrydn=$rootSuffix)) (targetattr=”*”) (version 3.0; acl “S1IS Default Organization delete right denied”; deny (delete) userdn = “ldap:///anyone”; )
Action: Discard.
This ACI prevents any user (other than the rootdn) from deleting the default organization.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # discard # aci: (target=”ldap:///cn=Top-level Admin Role,$rootSuffix”) (targetattr=”*”) (version 3.0; acl “S1IS Top-level admin delete right denied”; deny(delete) userdn = “ldap:///anyone”; )
Action: Discard.
This ACI prevents any user (other than the rootdn) from deleting the Top-Level Administrator role.
-------------------------------------------------------------------------------------------------------------
AM Deny Write Access
-------------------------------------------------------------------------------------------------------------
# # discard # aci: (targetattr = “*”) (version 3.0; acl “S1IS Deny write to anonymous user”; deny (add,write,delete) roledn =”ldap:///cn=Deny Write Access,$rootSuffix”;)
Action: Discard.
This ACI pertains to the Deny Write Access Role.
-------------------------------------------------------------------------------------------------------------
AM Container Admin Role
-------------------------------------------------------------------------------------------------------------
# # discard # aci: (target=”ldap:///($dn),$rootSuffix”) (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix) (nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix) (nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)))) (targetattr != “nsroledn”) (version 3.0; acl “S1IS Container Admin Role access allow”; allow (all) roledn = “ldap:///cn=Container Admin Role,[$dn],$rootSuffix”;)
Action: Discard.
This ACI pertains to the Container Admin Role.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # discard # aci: (target=”ldap:///cn=Container Admin Role,($dn),$rootSuffix”) (targetattr=”*”) (version 3.0; acl “S1IS Container Admin Role access deny”; deny (write,add,delete,compare,proxy) roledn = “ldap:///cn=Container Admin Role,($dn),$rootSuffix”;)
Action: Discard.
This ACI pertains to the Container Admin Role.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # discard # aci: (target=”ldap:///ou=People,$rootSuffix”) (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix) (nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix) (nsroledn=cn=Top-level Policy Admin Role,$rootSuffix) (nsroledn=cn=Organization Admin Role,$rootSuffix) (nsroledn=cn=Container Admin Role,$rootSuffix)))) (targetattr != “iplanet-am-web-agent-access-allow-list || iplanet-am-domain-url-access-allow || iplanet-am-web-agent-access-deny-list || nsroledn”) (version 3.0; acl “S1IS Group and people container admin role”; allow (all) roledn = “ldap:///cn=ou=People_dc=red_dc=iplanet_dc=com,$rootSuffix”;)
Action: Discard.
This ACI pertains to the Group and People Container Admin Role.
-------------------------------------------------------------------------------------------------------------
Organization Help Desk
-------------------------------------------------------------------------------------------------------------
# # discard # aci: (extra verses dreambig) (target=”ldap:///$rootSuffix”) (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix) (nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix) (nsroledn=cn=Top-level Policy Admin Role,$rootSuffix) (nsroledn=cn=Organization Admin Role,$rootSuffix)))) (targetattr = “*”) (version 3.0; acl “S1IS Organization Help Desk Admin Role access allow”; allow (read,search) roledn = “ldap:///cn=Organization Help Desk Admin Role,$rootSuffix”;)
Action: Discard.
This ACI pertains to the Organization Help Desk Admin Role.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # discard # aci: (target=”ldap:///$rootSuffix”) (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix) (nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix) (nsroledn=cn=Top-level Policy Admin Role,$rootSuffix) (nsroledn=cn=Organization Admin Role,$rootSuffix)))) (targetattr = “userPassword”) (version 3.0; acl “S1IS Organization Help Desk Admin Role access allow”; allow (write) roledn = “ldap:///cn=Organization Help Desk Admin Role,$rootSuffix”;)
Action: Discard.
This ACI pertains to the Organization Help Desk Admin Role.
-------------------------------------------------------------------------------------------------------------
AM Organization Admin Role
-------------------------------------------------------------------------------------------------------------
# # consolidate # aci: (different name - “allow all” instead of “allow”) (target=”ldap:///($dn),$rootSuffix”) (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix) (nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix) (nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)))) (targetattr != “nsroledn”) (version 3.0; acl “S1IS Organization Admin Role access allow all”; allow (all) roledn =”ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;)
Action: Consolidate.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # consolidate # aci: (target=”ldap:///cn=Organization Admin Role,($dn),$rootSuffix”) (targetattr=”*”) (version 3.0; acl “S1IS Organization Admin Role access deny”; deny (write,add,delete,compare,proxy) roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;)
Action: Consolidate.
This ACI pertains to the Organization Admin Role.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # consolidate # aci: (missing) (target=”ldap:///($dn),$rootSuffix”) (targetattr=”*”) (version 3.0; acl “Organization Admin Role access allow read to org node”; allow (read,search) roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix” ;)
Action: Consolidate.
This ACI pertains to the Organization Admin Role.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # consolidate # aci: (target=”ldap:///($dn),$rootSuffix”) (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix) (nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)))) (targetattr != “nsroledn”) (version 3.0; acl “Organization Admin Role access allow”; allow (all) roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;)
Action: Consolidate.
This ACI pertains to the Organization Admin Role.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # consolidate # aci: (target=”ldap:///($dn),$rootSuffix”) (targetattr!=”businessCategory || description || facsimileTelephoneNumber || postalAddress || preferredLanguage || searchGuide || postOfficeBox || postalCode || registeredaddress || street || l || st || telephonenumber ||maildomainreportaddress || maildomainwelcomemessage || preferredlanguage || sunenablegab”) (version 3.0; acl “Organization Admin Role access deny to org node”; deny (write,add,delete) roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix” ;)
Action: Consolidate.
This ACI pertains to the Organization Admin Role.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # consolidate # aci: (target=”ldap:///($dn),$rootSuffix”) (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix) (nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)))) (targetattr != “nsroledn”) (version 3.0; acl “S1IS Organization Admin Role access allow all”; allow (all) roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;)
Action: Consolidate.
-------------------------------------------------------------------------------------------------------------
AM Miscellaneous
-------------------------------------------------------------------------------------------------------------
# # # discard # aci: (target=”ldap:///$rootSuffix”) (targetattr!=”nsroledn”) (version 3.0; acl “S1IS Group admin’s right to the users he creates”; allow (all) userattr = “iplanet-am-modifiable-by#ROLEDN”;)
Action: Discard.
Discarding this ACI disables the associated privileges to the attribute iplanet-am-modifiable-by.
-------------------------------------------------------------------------------------------------------------
Messaging Server
-------------------------------------------------------------------------------------------------------------
# # consolidate # aci: (target=”ldap:///$rootSuffix”) (targetattr=”*”) (version 3.0; acl “Messaging Server End User Administrator Read Access Rights - product=SOMS,schema 2 support,class=installer,num=1,version=1”; allow (read,search) groupdn=”ldap:///cn=Messaging End User Administrators Group, ou=Groups, $rootSuffix”;)
Action: Consolidate.
This ACI grants permission to the Messaging End User Administrators Group.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # consolidate # aci: (target=”ldap:///$rootSuffix”) (targetattr=”objectclass||mailalternateaddress||mailautoreplymode ||mailprogramdeliveryinfo||nswmextendeduserprefs||preferredlanguage ||maildeliveryoption||mailforwardingaddress ||mailAutoReplyTimeout||mailautoreplytextinternal||mailautoreplytext ||vacationEndDate||vacationStartDate||mailautoreplysubject||pabURI ||maxPabEntries||mailMessageStore||mailSieveRuleSource||sunUCDateFormat ||sunUCDateDeLimiter||sunUCTimeFormat”) (version 3.0; acl “Messaging Server End User Adminstrator Write Access Rights - product=SOMS,schema 2 support,class=installer,num=2,version=1”; allow (all) groupdn=”ldap:///cn=Messaging End User Administrators Group, ou=Groups, $rootSuffix”;)
Action: Consolidate.
This ACI grants permission to the Messaging End User Administrators Group.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
# # consolidate # aci: (targetattr=”uid||ou||owner||mail||mailAlternateAddress ||mailEquivalentAddress||memberOf ||inetuserstatus||mailuserstatus||memberOfManagedGroup||mailQuota ||mailMsgQuota||inetSubscriberAccountId||dataSource||mailhost ||mailAllowedServiceAcces||pabURI||inetCOS||mailSMTPSubmitChannel ||aci”) (targetfilter=(&(objectClass=inetMailUser)(!(nsroledn=cn=Organization Admin Role,*)))) (version 3.0; acl “Deny write access to users over Messaging Server protected attributes - product=SOMS,schema 2 support,class=installer,num=3,version=1 “; deny (write) userdn = “ldap:///self”;)
Action: Consolidate.
This is one of several ACIs that set self privileges.
-------------------------------------------------------------------------------------------------------------
- © 2010, Oracle Corporation and/or its affiliates