To Add an Access Control Rule (Sun Directory Services 3.1 Administration Guide)

Sun Directory Services 3.1 Administration Guide

To Add an Access Control Rule

Choose Access Control from the Create menu.

The Create Access Control Rule window is displayed.

Specify the information to which the new rule will apply, as follows:
1. From the Selected Entries menu, select the method of specifying the entries.
  
  You can specify entries using a DN-based regular expression, an LDAP filter, or you can specify that the rule applies to all entries.
  - If you selected DN-based regular expression, type the regular expression in the Distinguished name field, or click Set to use the Distinguished Name Editor to specify the regular expression.
    
    If you want to protect only certain attributes within the set of entries defined by the regular expression, click the Attribute Set button and select the attributes to be protected. If you do not specify any attributes, all attributes in the specified entries are protected.
  - If you selected LDAP filter, click the LDAP filter Set button to launch the LDAP Filter Editor. Specify the filter, and click Apply.
    
    If you want to protect only certain attributes within the set of entries defined by the regular expression, click the Attribute Set button and select the attributes to be protected. If you do not specify any attributes, all attributes in the specified entries are protected.
2. Type the name of an attribute to be protected in the Attributes field.
  
  To see a list of attributes, click the Set button. You can specify any number of attributes.

Choose Access Rule from the Create menu.

The Add User Rule window is displayed.

Select the Rule type. This defines the set of users to which the rule applies.

You can specify a rule for Everyone, DN-based Regular Expression, Self (that is, the entity described by the entry), Address, Domain, or Member Attribute.
- If you selected Everyone, the rule will apply to all users whose directory entries contain this attribute.
- If you selected DN-based Regular Expression, specify the regular expression for the set of users to which the rule applies. The rule will apply to all users who bind with a distinguished name that matches the regular expression.
  
  You can type the distinguished name directly in the field, or you can click Set to use the Distinguished Name editor to construct the distinguished name. See "Using the DN Editor" for more information about how to specify a distinguished name.
- If you selected Address, specify an IP address.
  
  The IP address can contain wildcards. The rule will apply to all users who bind from the specified IP address.
- If you selected Domain, specify a domain name.
  
  The domain name can contain wildcards. The rule will apply to all users who bind from the specified domain.
- If you selected Member Attribute, specify an attribute.
  
  The rule will allow the DN used in the bind to be added to or removed from the list of members specified by the attribute.

Specify the access rights to be granted to the specified set of users.

Click Apply to add the rule.

You can then define other rules for entries you have selected. When you have created and added all the rules for these entries, click Cancel to dismiss the Add User Rule window. Figure 4-4 shows a new ACL created to authorize users to update their own homePhone and homePostalAddress attributes.

Figure 4-4 Create Access Control Window

In the Create Access Control Rule window, click Apply to store the new rules.

You can then select another set of entries and define access controls for them, as described in Step a.

Configuration changes are implemented when you restart the dsservd daemon.

© 2010, Oracle Corporation and/or its affiliates