Technical Note: Sun Java System Access Manager ACI Guide

Elimination of ACIs During Installation

The following ACIs, which were defined by Directory Server, are deleted from the Directory Server during installation of Access Manager.

ACI 1:

aci: (targetattr != "userPassword") 
(version 3.0; acl "Anonymous access"; 
allow (read, search, compare)userdn = "ldap:///anyone";)

All users have anonymous access to the directory for search, compare, and read operations, except for the following attribute:

userPassword

ACI 2:

aci:(targetattr != "userPassword || passwordHistory") 
(version 3.0; acl "Anonymous access"; 
allow (read, search, compare)userdn = "ldap:///anyone";)

All users have anonymous access to the directory for search, compare, and read operations, except for the following attributes:

userPassword
passwordHistory

ACI 3:

aci:(targetattr != "userPassword || passwordHistory || passwordExpirationTime 
|| passwordExpWarned || passwordRetryCount || retryCountResetTime || accountUnlockTime 
|| passwordAllowChangeTime ") (version 3.0; acl "Anonymous access"; 
allow (read, search, compare)userdn = "ldap:///anyone";)

All users have anonymous access to the directory for search, compare, and read operations, except for the following attributes:

userPassword
passwordHistory
passwordExpirationTime
passwordExpWarned
passwordRetryCount
retryCountResetTime
accountUnlockTime
passwordAllowChangeTime

ACI 4:

aci: (targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit 
|| nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ")
(version 3.0; acl "S1IS Allow self entry modification except for nsroledn, 
aci, resource limit attributes,and passwordPolicySubentry"; 
allow (write)userdn ="ldap:///self";)

This ACI specifically prevents all users with 'self' access to the Directory Server from writing to certain attributes. Access Manager deletes this self-access ACI during installation, to allow self-access for some Administrative functions, for instance to allow the Organization Admins to modify their own profiles. Since the current ACIs do prevent Organization Admins from assigning the Top-level Admin roles, they should be allowed to assign thenselves other administrative (and service) roles, which can only be lesser in privilege to their current capabilities. The deletion of this ACI helps achieve the requirement for the Organization Admin to be able to modify the nsroledn attribute in his profile.