List of Unused ACIs to be Discarded

The listing in this section shows the unused default ACIs that are discarded from the directory when you apply the replacement.acis.ldif file to the directory.

The ACIs to be discarded are divided into the following categories:

• Suffix

• Top-level Help Desk Admin Role

• Top-level Policy Admin Role

• Access Manager Anonymous

• Access Manager Deny Write Access

• Access Manager Container Admin Role

• Organization Help Desk

• Access Manager Miscellaneous

Suffix

# discard
#
aci:
(targetattr =”*”)
(version 3.0;acl “Configuration Administrators Group”;
allow (all)
(groupdn = “ldap:///cn=Configuration Administrators, ou=Groups,
ou=TopologyManagement, o=NetscapeRoot”);)


#
# discard
#
aci:
(targetattr =”*”)
(version 3.0;acl “Directory Administrators Group”;
allow (all)
(groupdn = “ldap:///cn=Directory Administrators, $rootSuffix”);)


#
# discard
#
aci:
(targetattr = “*”)
(version 3.0;
acl “SIE Group”;
allow (all)
groupdn = “ldap:///cn=slapd-whater, cn=Sun ONE Directory Server, cn=Server
Group, cn=whater.red.iplanet.com, ou=red.iplanet.com, o=NetscapeRoot”;)


#
# discard - prevents TLA from modifying the amldapuser account.
#
aci:
(target=”ldap:///cn=amldapuser,ou=DSAME Users,$rootSuffix”)
(targetattr = “*”)
(version 3.0;
acl “S1IS special ldap auth user modify right”;
deny (write)
roledn != “ldap:///cn=Top-level Admin Role,$rootSuffix”;)


#
# discard - protects SAML related attributes
#
aci:
(targetattr=”iplanet-am-saml-user || iplanet-am-saml-password”)
(targetfilter=”(objectclass=iplanet-am-saml-service)”)
(version 3.0; acl “S1IS Right to modify saml user and password”;
deny (all)
(roledn != “ldap:///cn=Top-level Admin Role,$rootSuffix”)
AND (userdn != “ldap:///cn=dsameuser,ou=DSAME Users,$rootSuffix”)
AND (userdn != “ldap:///cn=puser,ou=DSAME Users,$rootSuffix”); )

Top-level Help Desk Admin Role

#
# discard
 #
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix)))
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Help Desk Admin Role access allow”;
allow (read,search)
roledn = “ldap:///cn=Top-level Help Desk Admin Role,$rootSuffix”;)


#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix)))
(targetattr = “userPassword”)
(version 3.0; acl “S1IS Top-level Help Desk Admin Role access allow”;
allow (write)
roledn = “ldap:///cn=Top-level Help Desk Admin Role,$rootSuffix”;)

Top-level Policy Admin Role

#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix))))
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access allow”;
allow (read,search)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)


#
# discard
#
aci:
(target=”ldap:///ou=iPlanetAMAuthService,ou=services,*$rootSuffix”)
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access
Auth Service deny”;
deny (add,write,delete)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)


#
# discard
#
aci:
(target=”ldap:///ou=services,*$rootSuffix”)
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)


#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=”(objectclass=sunismanagedorganization)”)
(targetattr = “sunRegisteredServiceName”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access allow”;
allow (read,write,search)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)

Access Manager Anonymous

#
# discard - prevents anyone other than rootdn from deleting
# default organization.
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(entrydn=$rootSuffix))
(targetattr=”*”)
(version 3.0; acl “S1IS Default Organization delete right denied”;
deny (delete)
userdn = “ldap:///anyone”; )


#
# discard - prevents any user other than rootdn from deleting the
# TLA admin role.
#
aci:
(target=”ldap:///cn=Top-level Admin Role,$rootSuffix”)
(targetattr=”*”)
version 3.0; acl “S1IS Top-level admin delete right denied”;
deny(delete)
userdn = “ldap:///anyone”; )

Access Manager Deny Write Access

#
# discard
#
aci:
(targetattr = “*”)
(version 3.0; acl “S1IS Deny write to anonymous user”;
deny (add,write,delete)
roledn =”ldap:///cn=Deny Write Access,$rootSuffix”;)

Access Manager Container Admin Role

#
# discard
#
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “S1IS Container Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Container Admin Role,[$dn],$rootSuffix”;)


#
# discard
#
aci:
(target=”ldap:///cn=Container Admin Role,($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Container Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Container Admin Role,($dn),$rootSuffix”;)


#
# discard
#
aci:
(target=”ldap:///ou=People,$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix)
(nsroledn=cn=Container Admin Role,$rootSuffix))))
(targetattr != “iplanet-am-web-agent-access-allow-list 
|| iplanet-am-domain-url-access-allow
|| iplanet-am-web-agent-access-deny-list || nsroledn”)
(version 3.0; acl “S1IS Group and people container admin role”;
allow (all)
roledn = “ldap:///cn=ou=People_dc=red_dc=iplanet_dc=com,$rootSuffix”;)

Organization Help Desk

#
# discard
#
aci: (extra verses dreambig)
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix))))
(targetattr = “*”)
(version 3.0; acl “S1IS Organization Help Desk Admin Role access allow”;
allow (read,search)
roledn = “ldap:///cn=Organization Help Desk Admin Role,$rootSuffix”;)


#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix))))
(targetattr = “userPassword”)
(version 3.0; acl “S1IS Organization Help Desk Admin Role access allow”;
allow (write)
roledn = “ldap:///cn=Organization Help Desk Admin Role,$rootSuffix”;)

Access Manager Miscellaneous

#
# discard - Removal disables the associated privileges to the attribute
# iplanetam-modifiable-by
#
aci:
(target=”ldap:///$rootSuffix”)
(targetattr!=”nsroledn”)
(version 3.0; acl “S1IS Group admin’s right to the users he creates”;
allow (all)
userattr = “iplanet-am-modifiable-by#ROLEDN”;)