Configuring Access Control

Access controls determine who has access to a given directory entry, and what level of access is granted. "Access Control" explains how to design an access control policy for your directory. The following sections explain how to configure default access, and add, modify, and delete access control rules.

An access control rule defines the level of access to specific directory information given to a particular user. There are two stages to defining a new access control rule:

• Specify the directory information to which the rule applies. This is the information that you want to protect.

• Specify the level of access granted to each user for this information. From the most restrictive to the most permissive, levels of access are: none, compare, search, read, write.

Access control rules are ordered, with the most specific rules first, followed by more general rules. The first rule in the list that matches the requested operation is applied, the following rules in the list are ignored.

Default access is the level of access granted to entries and attributes for which access control is not specifically defined.

Configuring Default Access

1. In the Admin Console main window, go to the Access Control section.

2. Use the Default Access menu button to select a level of access.

   By default, this option is set to read.

To Add an Access Control Rule

1. Choose Access Control from the Create menu.

   The Create Access Control Rule window is displayed.

2. Specify the information to which the new rule will apply, as follows:

   1. From the Selected Entries menu, select the method of specifying the entries.

      You can specify entries using a DN-based regular expression, an LDAP filter, or you can specify that the rule applies to all entries.

      • If you selected DN-based regular expression, type the regular expression in the Distinguished name field, or click Set to use the Distinguished Name Editor to specify the regular expression.

        If you want to protect only certain attributes within the set of entries defined by the regular expression, click the Attribute Set button and select the attributes to be protected. If you do not specify any attributes, all attributes in the specified entries are protected.

      • If you selected LDAP filter, click the LDAP filter Set button to launch the LDAP Filter Editor. Specify the filter, and click Apply.

        If you want to protect only certain attributes within the set of entries defined by the regular expression, click the Attribute Set button and select the attributes to be protected. If you do not specify any attributes, all attributes in the specified entries are protected.

   2. Type the name of an attribute to be protected in the Attributes field.

      To see a list of attributes, click the Set button. You can specify any number of attributes.

3. Choose Access Rule from the Create menu.

   The Add User Rule window is displayed.

4. Select the Rule type. This defines the set of users to which the rule applies.

   You can specify a rule for Everyone, DN-based Regular Expression, Self (that is, the entity described by the entry), Address, Domain, or Member Attribute.

   • If you selected Everyone, the rule will apply to all users whose directory entries contain this attribute.

   • If you selected DN-based Regular Expression, specify the regular expression for the set of users to which the rule applies. The rule will apply to all users who bind with a distinguished name that matches the regular expression.

     You can type the distinguished name directly in the field, or you can click Set to use the Distinguished Name editor to construct the distinguished name. See "Using the DN Editor" for more information about how to specify a distinguished name.

   • If you selected Address, specify an IP address.

     The IP address can contain wildcards. The rule will apply to all users who bind from the specified IP address.

   • If you selected Domain, specify a domain name.

     The domain name can contain wildcards. The rule will apply to all users who bind from the specified domain.

   • If you selected Member Attribute, specify an attribute.

     The rule will allow the DN used in the bind to be added to or removed from the list of members specified by the attribute.

5. Specify the access rights to be granted to the specified set of users.

6. Click Apply to add the rule.

   You can then define other rules for entries you have selected. When you have created and added all the rules for these entries, click Cancel to dismiss the Add User Rule window. Figure 4-4 shows a new ACL created to authorize users to update their own homePhone and homePostalAddress attributes.

   Figure 4-4 Create Access Control Window

   
   

7. In the Create Access Control Rule window, click Apply to store the new rules.

   You can then select another set of entries and define access controls for them, as described in Step a.

   Configuration changes are implemented when you restart the dsservd daemon.

To Modify an Access Control Rule

1. Select the set of entries whose access control you want to modify, and choose Modify ACL from the Selected menu.

   The Modify Access Control Rule window is displayed. If you double-click a rule, this window is displayed automatically.

2. Select the rule that you want to modify, and choose Modify Access Rule from the Selected menu.

   The Modify User Rule window is displayed. If you double-click the rule you want to modify, the Modify User Rule window is displayed automatically.

3. Make the modification you require.

4. Click Apply.

   Make any other modifications you require. When you have made and applied all the modifications, click Cancel to dismiss the Modify User Rule window.

5. Click OK in the Modify Access Control Rule window.

   These changes will take effect when you restart the dsservd daemon.

To Delete an Access Control Rule

To delete all access control rules for a set of entries, select the entry set and choose Delete ACL from the Selected menu.

You are prompted to confirm that you want to delete all access controls for the set of entries.

To delete one rule from an ACL:

1. Select the set of entries and choose Modify ACL from the Selected menu.

   The Modify Access Control Rule window is displayed.

2. Select the rule you want to delete and choose Delete User Rule from the Selected menu.

   You are prompted to confirm that you want to delete this rule.

To Reorder Access Control Rules

In the Access Control section of the main window, select the rule you want to move, and choose Move Up or Move Down from the Selected menu.

When the rules are reordered as you require, click Apply to save the changes to the configuration file. The changes are implemented when you restart the dsservd daemon.

---

Note -

The Admin Console will display a warning message if you break the convention of placing the rules from the more specific to the more general.

---