Technical Note: Sun Java System Access Manager ACI Guide

Organization Admin Role ACIs

ACI 1:

aci: (target="ldap:///($dn),ROOT_SUFFIX")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Help Desk Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Policy Admin Role,ROOT_SUFFIX))))
(targetattr != "nsroledn")(version 3.0; 
acl "S1IS Organization Admin Role access allow all";
 allow (all) roledn = "ldap:///cn=Organization Admin Role,[$dn],ORG_ROOT_SUFFIX";)

This ACI gives all permissions to the members who belong to the Organization Admin Role. Members of Organization Admin Role have 'all' permissions to all the entries and attributes for that organization on the organization entry. But the 'all' access is not applied to the nsroledn attribute where the values are Top-level Admin Role, Top-level Help Desk Admin Role, Top-level Policy Admin Role.

In other words, members of Organization Admin Role cannot read, write, delete, modify, or searchthe directory entries of Top-level Admin, Top-level Help Desk Admin, and Top-level Policy Admin. But members of Organization Admin Role have permission to modify the nsroledn attribute in their own profiles; however, they cannot assign the following values to the nsroledn attribute:

ACI 2:

aci: (target="ldap:///cn=Organization Admin Role,($dn),ORG_ROOT_SUFFIX")
(targetattr="*")(version 3.0; acl "S1IS Organization Admin Role access deny"; 
deny (write,add,delete,compare,proxy)
 roledn = "ldap:///cn=Organization Admin Role,($dn),ORG_ROOT_SUFFIX";)

Members of Organization Admin Role are denied write, add, delete, compare, or proxy permissions to all the attributes for that organization admin role entry.