Previous     Contents     Index     Next     
iPlanet Delegated Administrator 4.5 Deployment and Customization Guide



Appendix D       Delegated Administrator Access Control Instructions (ACIs)


You may find it necessary to modify the Delegated Administrator access control instructions (ACIs). For example, you may want to expand the access privileges of an existing Group administrator, or to create a new type of administrator. This appendix provides information you'll need to understand the access control framework that comes with Delegated Administrator. It does not provide step-by-step instructions for modifying existing ACIs, or for creating new ones.


Note Before attempting to modify Delegated Administrator ACIs, you should have a working knowledge of Directory server ACIs and be proficient in modifying them. For detailed information, see the Directory Server Administrator's Guide.


Topics included in this appendix are:



Overview of Delegated Administrator ACIs

At installation, Delegated Administrator creates directory entries for seven types of administrators:

  • NDAUser
    (an internal user used by the iPlanet Delegated Administration for authentication and administrative functions)

  • Top-level Administrators
    (formerly Service Administrators)

  • Top-level Help Desk Administrators
    (formerly Service Help Desk Administrators)

  • Organization Administrators
    (formerly Domain Administrators)

  • Organization Help Desk Administrators
    (formerly Domain Help Desk Administrators)

  • Group Administrators
    (formerly Department Administrators)

  • End Users

Delegated Administrator defines specific access control instructions (ACIs) for each of these administrators. The ACIs determine which directory entries an administrator can modify, as well as the types of modifications the administrator can make to the entries. The tables in the following pages summarize administrators' access privileges to directory entries for the four default Delegated Administrator user containers: the Top-level, Organization, Group, and User Account.


Table D-1    Access to the Top-level entry.

This type of user...

Has the following access privileges to the Top-level entry...

Read

Search

Write

Add

Delete

Compare

NDAUser  

limited1  

limited2  

limited3  

 

 

 

Top-level Administrator  

full  

full  

limited4  

 

 

 

Top-level Help Desk Administrator  

full  

full  

 

 

 

 

Organization Administrator  

 

 

 

 

 

 

Organization Help Desk Administrator  

 

 

 

 

 

 

Group Administrator  

 

 

 

 

 

 

End User as an Administrator)  

 

 

 

 

 

 

NDAUser  

 

 

 

 

 

 

1 NDAUser can read only the following objectclasses and attributes: objectclass, o, nsnumdomains.

2 NDAUser can search only the following objectclasses and attributes: objetclass, o nsnumdomains.

3 NDAUser can modify only the following attribute: nsNumbDomains

4 Top-level Help Desk Administrator can modify only the following attribute: nsnumdomains


Table D-2    Access to an Organization entry,

This type of user...

Has the following access privileges to the Organization entry...

Read

Search

Write

Add

Delete

Compare

NDAUser  

limited1  

limited2  

limited3  

 

 

 

Top-level Administrator  

full  

full  

full  

full  

full  

full  

Top-level Help Desk Administrator  

full  

full  

 

 

 

 

Organization Administrator  

full  

full  

limited4  

limited4  

limited4  

limited4  

Organization Help Desk Administrator  

full  

full  

 

 

 

 

Group Administrator  

 

 

 

 

 

 

End User as an Administrator)  

 

 

 

 

 

 

1 NDAUser can read only the following objectclasses and attributes: objectclass, nsdaorgid, nsnum, nsmax, o.

2 NDAUser can search only the following objectclasses and attributes: objectclass, nsdaorgid, nsnum*, nsmax*, o.

3 NDAUser can modify only the following attribute: nsnum*, nsmax*

4 Organization administrators have full read and search access privileges to all resources within their organizations; they have write, add, delete, and compare privileges to only resources in their suborganizations.


Table D-3    Access to a Group entry.

This type of user...

Has the following access privileges to a Group entry...

Read

Search

Write

Add

Delete

Compare

NDAUser  

limited1  

limited2  

limited3  

 

 

 

Top-level Administrator  

full  

full  

full  

full  

full  

full  

Top-level Help Desk Administrator  

full  

full  

 

 

 

 

Organization Administrator  

full  

full  

full  

full  

full  

full  

Organization Help Desk Administrator  

 

 

 

 

 

 

Group Administrator  

full  

full  

full  

 

 

 

End User (as an Administrator)  

 

 

 

 

 

 

1 NDAUser can read only the following objectclasses and attributes: objectclass, cn, nsnumusers, nsmaxusers, nsnumdepts, nsmaxdepts.

2 NDAUser can search on only the following objectclasses and attributes: objectclass, cn, nsnumusers, nsmaxusers, nsnumdepts, nsmaxdepts.

3 NDAUser can modify only the following attribute values: nsnumusers, nsnumdepts.


Table D-4    Access to a User Account entry.

This type of user...

Has the following access privileges to a User Account entry...

Read

Search

Write

Add

Delete

Compare

NDAUser  

limited1  

limited2  

limited3  

 

 

 

Top-level Administrator  

full  

full  

full  

full  

full  

full  

Top-level Help Desk Administrator  

full  

full  

limited4  

 

 

 

Organization Administrator  

full  

full  

full  

full  

full  

full  

Organization Help Desk Administrator  

full  

full  

limited5  

 

 

 

Group Administrator  

full  

limited6  

limited6  

limited6  

limited6  

limited6  

End User (as an Administrator)7  

full  

full  

limited8  

 

 

 

1 NDAUser can read only the following objectclasses and attributes: objectclass, uid, mail, userCertificate

2 NDAUser can search only the following objectclasses and attributes: objectclass, uid, mail, userCertificate

3 NDAUser can modify only the following attribute: nsnumusers, nsmaxusers.

4 Top-level Help Desk Administrator can modify passwords for all users within the top level except for the Top-level administrator.

5 Organization Help Desk Administrators can modify passwords for all users within the organization except for Top-level and Organization administrators.

6 Group Administrators have full access privileges to only user accounts within their own group. For all other users accounts in the organization, the Group administrator has read-only access.

7 With anonymous access disabled, an End User can read or search entries for all other users in the organization.

8 With anonymous access disabled, an End User can modify values for all attributes in his or her own entry except for the following: uid, ou, owner, nDAModifiableBy, nsDACapability, mail, mailAlternate address, memberOf, and nsDADomain.



How Group Administrator ACIs Work


Of the seven types of administrators, Group administrators have the most complex set of ACIs. The scenarios in this section illustrate how some of the default ACIs which apply to Group administrators come into play.


ACIs for Adding a User to a Group

The following scenario demonstrates how the Group administrator's ACIs allow him to add a user to many groups. John Doe is a member of the Marketing Division in the Siroe organization. He has just received a promotion to General Manager, and will soon preside over all of the following business divisions: Sales, Development, Marketing, and Operations (see Figure D-1).

Figure D-1    Adding a user to multiple groups.

Doris Dooley is a Group administrator in the Siroe organization. She manages the Delegated Administration group to which John Doe currently belongs, the Marketing group. She also manages the other Delegated Administrator groups that John Doe will soon control: Sales Development, and Operations.

Using Delegated Administrator, Doris adds John Doe to the Sales, Development, and Operations groups.

The following rules are defined in the Group administrator's ACIs, and make it possible for Doris to add John Doe to the three other groups:

  • Group Administrators have full access privileges to all users belonging to groups that they are administrators of.

  • A Group administrator can manage one or more groups in an organization.

  • A user may belong to any number of groups in the organization.

  • A Group administrator can add an existing user, one who belongs to a group he or she manages, to any other group he or she manages.

A Group administrator can also create a new user directly into a group he or she manages. For example, Jane Smith is a new employee and will take John Doe's old position in the Marketing Division. Using Delegated Administrator, Doris Dooley navigates to the Marketing group administration page, and creates a new account within the Marketing group for Jane Smith.


Limited Access to Higher-level Administrators

Group administrators have limited access privileges to administrator entries that exist above them in the directory tree. For example, by default, the following administrators exist in the Delegated Administrator tree above Group administrators:

  • Top-level Administrators

  • Top-level Help Desk Administrators

  • Organizational Administrators

  • Organizational Help Desk Administrators.

Group administrators cannot modify attribute values in the entries for these users. Group administrators also cannot add these users to, or remove them from, their administrator groups.


ACIs for Modifying Own Entries

Group administrators can manage user accounts within their own groups, and yet they cannot modify some attribute values found within their own user accounts. For example, in the default Siroe organization, Doris Dooley can change the user information for Bill Johnson who is a member of Group 1.

As a Group administrator, Doris can use Delegated Administrator to change the values for many attributes in Bill Johnson's directory entry such as, uid, mail, and mailAlternateAddress. As an End User, Bill is restricted from modifying the values for these attributes in his own directory entry. These restrictions are defined by the ACIs for End Users (see ).

As an End User, Doris is also restricted from changing the values for any of the following attributes found in her own directory entry: uid, ou, owner, nDAModifiableBy, nsDACapability, mail, mailAlternate address, memberOf, and nsDADomain. (See .)


Managing Subgroups

Group administrators can create subgroups under the groups they manage. In this scenario, a Group administrator manages three groups named Sales, Marketing, and Development. Under each group, the Group administrator creates two or three subgroups representing office locations. In Figure D-2, the Sales division has employees in Los Angeles, Seattle, and Tuscon offices. Each of the subgroups representing office locations for Sales, Marketing, and Development automatically come under the management of the same Group administrator. He has full ownership, and full access privilges to each of these subgroups. He can also add himself to any of the groups or subgroups he manages.

User Jerry Don physically moves from the Tuscon Sales office to the Los Angeles Sales office. His colleague Mary Doe changes jobs, and transfers from the Tuscon Sales group to the Tuscon Marketing group. The Group Administrator uses Delegated Administrator to remove Jerry Don from the Tuscon Sales group and add him to the Los Angeles Sales group. He then removes Mary Doe from the Tuscon Sales group, and adds her to the Tuscon Marketing group.

Figure D-2    Managing subgroups.

This scenario demonstrates two default ACIs that apply to the Group administrator:

  • When a Group administrator creates a subgroup under one of his or her groups, the subgroups automatically come under the Groups administrator's management.

  • A Group administrator can add any user from any of the groups under his or her management to a subgroup.



ACI Implementation and Scalability Issues

Delegated Administrator uses iPlanet Directory Server ACIs to define and enforce access control and security for data in the directory tree. As much as possible, Delegated Administrator ACIs have been defined at the root node of the Delegated Administration tree. This increases scalability and allows a larger number of organizations to be supported.

ACIs are defined at the organizational level only when necessary. There are currently 32 ACIs defined at the root node and 17 at the organization level. Out of the 17 at the organization level, 3 ACIs are for mail list management. These can be eliminated if case mailing list management is not essential for deployment.

Note The number of ACIs that must be evaluated in the course of any operation impacts Delegated Administrator's performance. iPlanet Directory Server 4.x scales up to 2000 ACIs in the directory tree. If the number of Directory Server ACIs used in a your deployment is very high, and there are more than 150 organizations in the Delegated Administrator tree, you could see a drop in Delegated Administrator's performance. The performance issues may be resolved with the iPlanet Directory Server5.0 . It uses AVL trees instead of linked lists for faster ACI evaluation, and also supports macros in ACIs. This would help move most, if not all, of the Delegated Administrator ACIs to the root node, thus improving scalability immensely.



Top-level Administrators

Service Administrator and Service Help Desk Administrator ACIs are defined at the root node of the Delegated Administrator tree. There is only one Service Administrator group and only one Service Help Desk Administrator group in the entire tree. This makes it possible to define the ACIs using just the groupdn to grant these administrators the appropriate access.


Organization Administrators

There are two ways to define ACIs for administrators at the organization level. One way is to define the ACIs at the organization level, as was done in the previous versions of Delegated Administsrator. This method does not require frequent or numerous changes. But a consequence of using this approach is lower performance. If the Delegated Administrator tree must support thousands of organizations, the Directory server must evaluate tens of thousands of ACIs and performanc will slow considerably. The alternative is to make use of groups and object owner or object modifiableBy attributes. This method, while immensely more scalable, requires more maintenance. The approach that is used in Delegated Administrator 4.5 is a combination of the two.

For cases such as the End User read and search access to other users in the organization, which require a huge group membership, the first approach of defining a organization specific ACI was used. In addition, the first approach was also used to eliminate the need for nsDAModifiableBy and owner attributes as much as possible.

The more scalable approach of administrator groups and object owner attributes was used for Groups, Group Administrator groups, and Group members. At the organization level, users can belong to one of three administrator groups: Organization Administrators, Organization Help Desk Administrators, and Group Administrators. Users who do not belong to any of these groups are considered to be End Users. Every manageable resource in the organization (groups and users) must have an owner or modifiableBy attribute which specifies who can manage it.

To define the ACI, Delegated Administrator uses the userdn to specify all users who belong to a particular administrator group, and -ed with the groupdnattr. This specifies the administrator group that can manage the object (specified in the owner or the modifiableBy attribute of the object). The userdn attribute is used to limit the number of the users belonging to a particular group. The groupdnattr attribute is used to limit the number of users even more. Only users who belong to the actual administrator group which owns or can modify the targeted object can belong to the group.

There were some special requirements for defining default ACIs in Delegated Administsrator 4.5. The default ACIs use two kinds of access: general modify access and owner access. General modify access is usually a subset of the owner access. For example, in the case of Group Administrators, there are some tasks that all the Group Administrators in the organization should be able to perform, such as adding existing users to their group. There are also some tasks that only the specific Group Administrators in the organization can perform, such as managing the users in their group.

In order to differentiate the capabilities for Group Administrators, two administrator groups are used: one containing the list of all Group Administrators in the organization (organization Department Administrators), and another containing just the Group Administrators for the Group (the actual Group Administrators). The common capabilities for all Group Administrators are defined using the organization Department Administrators group in conjunction with the owner or the nsDAModifiableBy attribute, while specific capabilities for a particular department have been defined using the Group Administrators group along with the owner attribute.



Delegated Admininstrator ACIs Explained


The following section gives a brief explanation of the actual ACIs used in iDA4.5. Explanations are grouped by type of administrator. The top level ACIs are listed first, followed by the organization specific ACI.


Top-level ACIs

The following types of ACIs are defined at the top level of the Delegated Administrator tree:


Anonymous Access

The following ACI allows anonymous read and search access to all user entries. Anonymous access may be required by some applications to search for one or more entries prior to binding as one of them. Certain deployments may not want to expose directory data except to authenticated users with appropriate access. In such cases you may want to remove this ACI. A script (anon.ldif) is provided in the product to help do this. For more information, see Step 9: (Optional) Disable Anonymous Access to Your User Tree.

The following aci allows anonymous read and search access to postmaster entry. This aci is needed for the Netscape Messaging Server.

(targetattr="*")
(version 3.0; acl "Anonymous access to Postmaster entry";
allow (read,search) userdn="ldap:///anyone";)


NDAUser Access

The Authentication Administrator is a user entry, uid=NDAUser, stored under ou=config in Directory Server. Its special purpose is to act as an agent for Delegated Administrator, binding to the directory during authentication when necessary.

The following ACI grants the Authentication Administrator read and search access to the indicated attributes of users in the Delegated Administrator tree for uid resolution.

(targetfilter=(objectClass=nsManagedPerson))
(version 3.0; acl "NDAUser access"; allow (read,search)
userdn="ldap:///uid=NDAUser, ou=config, o=ISP";)

The following aci grants the NDAUser access to the relevant attributes of the root node.

aci: (targetattr=objectClass||o||nsNumDomains)
(targetfilter=(objectClass=nsManagedISP))
(version 3.0; acl NDAUser access to toplevel attributes;
allow (read,search) userdn=ldap:///uid=NDAUser,
ou=config, o=ISP;)

The following ACI grants the NDAUser read and search access to the indicated attributes of organizations in the iDA DIT.

||nsNumDepts||nsNumMailLists||nsNumDomains
||nsMaxUsers||nsMaxDepts||nsMaxMailLists||nsMaxDomains")
(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "NDAUser access to domain entries";
allow (read,search) userdn="ldap:///uid=NDAUser,
ou=config, o=ISP";)

The following ACI grants the Authentication Administrator read and search access to the indicated attributes of groups in the iDA DIT.

(targetfilter=(objectClass=nsManagedDept))
(version 3.0; acl "NDAUser access to dept entries";
allow (read,search) userdn="ldap:///uid=NDAUser,
ou=config, o=ISP";)

The following ACI grants the NDAUser read and search access to the indicated attributes of organization units in the iDA DIT.

(targetfilter=(objectClass=nsManagedorgUnit))
(version 3.0; acl "NDAUser access to orgunits";
allow (read,search) userdn="ldap:///uid=NDAUser,
ou=config, o=ISP";)

The following ACI grants the NDAUser read and search access to the indicated attributes of mailing lists in the iDA DIT.

(targetfilter=(objectClass=nsManagedMailList))
(version 3.0; acl "NDAUser access to mail lists";
allow (read,search) userdn="ldap:///uid=NDAUser,
ou=config, o=ISP";)

The following ACI grants the NDAUser write access to the indicated attribute of the iDA base entry.

(targetfilter=(objectClass=nsManagedISP))
(version 3.0; acl "NDAUser write access to toplevel";
allow (write) userdn="ldap:///uid=NDAUser,
ou=config, o=ISP";)

The following ACI allows write access to nsNum* attributes of all domain entries.

(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "NDAUser write access to domains";
allow (write) userdn="ldap:///uid=NDAUser,
ou=config, o=ISP";)

The following ACI grants the NDAUser write access to the indicated attributes of departments in the iDA DIT.

(targetfilter=(objectClass=nsManagedDept))
(version 3.0; acl "NDAUser write access to depts";
allow (write) userdn="ldap:///uid=NDAUser,
ou=config, o=ISP";)

The following ACI grants the NDAUser write access to the indicated attributes of Mailing Lists in the iDA DIT.

(targetfilter=(objectClass=nsManagedMailList))
(version 3.0; acl "NDAUser write access to mail lists";
allow (write) userdn="ldap:///uid=NDAUser,
ou=config, o=ISP";)


Top-level Administrator Access

The following ACI grants Top-level administrators read and search access to the nsManagedISP objects in the the base entry of the Delegated Administrator tree.

(targetfilter=(objectClass=nsManagedISP))
(version 3.0; acl "SA root node access";
allow (read,search) groupdn="ldap:///cn=Service
Administrators, ou=Groups, o=ISP";)

The following ACI grants Service Administrators all access to all indicated objects in the NDA DIT.

(targetfilter=(|(objectClass=nsManagedDomain)
(objectClass=nsManagedOrgUnit)
(objectClass=nsManagedDeptAdminGroup)
(objectClass=nsManagedDept)
(objectClass=nsManagedMailList)
(objectClass=nsManagedPerson)))
(version 3.0; acl "SA domain access";
allow (all) groupdn="ldap:///cn=Service
Administrators, ou=Groups, o=ISP";)


Service Help Desk Administrators Access

The following ACI grants Top-level administrators read and search access to the Delegated Adminitrator base entry, all organizations, and all users in the Delegated Administrator tree.

(targetfilter=(|(objectClass=nsManagedISP)
(|(objectClass=nsManagedDomain)
(objectClass=nsManagedPerson))))
(version 3.0; acl "SHDA root node access";
allow (read,search) groupdn="ldap:///cn=Service Help
Desk Administrators, ou=Groups, o=ISP";)

The following ACI grants Top-level Help Desk administrators complete access to Mail Lists entries.

(targetfilter=(objectClass=nsManagedMailList))
(version 3.0; acl "SHDA mail list access";
allow (all) groupdn="ldap:///cn=Service Help
Desk Administrators, ou=Groups, o=ISP";)

The following ACI grants Top-level Help Desk administrators write access to the userPassword attribute of all users in the Delegated Adminitrator tree except forusers who are Top-level administrators or Top-level Help Desk Administrators. Note that the End User ACI, which grants access to attributes for self, allows Service Help Desk Administrators to modify their own passwords.

(targetfilter=(&(objectClass=nsManagedPerson)
(&(!(memberOf=cn=Service Administrators, ou=Groups, o=ISP))
(!(memberOf=cn=Service Help Desk Administrators,
ou=Groups, o=ISP)))))(version 3.0; acl "SHDA user write
access"; allow (write) groupdn="ldap:///cn=Service Help
Desk Administrators, ou=Groups, o=ISP";)


Group Administrator Access Control

The following ACI grants Group administrators read and search access to the groups they can modify. Usually, these groups are the ones they did not create, for example Top-level groups versus subgroups.

(targetfilter=(|(objectClass=nsManagedDept)
(objectClass=nsManagedDeptAdminGroup)))
(version 3.0; acl "Dept Adm dept access";
allow (read,search) userdn="ldap:///o=ISP??sub?
(memberOf=cn=Department Administrators*)" and
groupdnattr="ldap:///o=ISP?nsDAModifiableBy";)

The following ACI allows write access to nsNumUsers, nsNumDepts, and uniqueMember attributes of the group entry a Group administrator can modify

(targetfilter=(|(objectClass=nsManagedDept)
(objectClass=nsManagedDept)))(version 3.0; acl
"Dept Adm dept write"; allow (write) userdn=
"ldap:///o=ISP??sub?(memberOf=cn=Department
Administrators*)" and groupdnattr="ldap:///o=
ISP?nsDAModifiableBy";)

The following ACI grants Department Administrators complete access to the groups that they create or subgroups of the groups that they are owners of.

(targetfilter=(|(objectClass=nsManagedDeptAdminGroup)
(objectClass=nsManagedDept))) (version 3.0; acl
"Dept Adm all access to dept"; allow (all)
userdn="ldap:///o=ISP??sub?(memberOf=cn=Department
Administrators*)" and groupdnattr="ldap:///o=ISP?owner";)

The following ACI allows read, search, write and delete access to all users in dept except other administrators.

(targetfilter=(&(objectClass=nsManagedPerson)
(&(!(memberOf=cn=Service Administrators, ou=Groups, o=ISP))
(&(!(memberOf=cn=Service Help Desk Administrators,
ou=Groups, o=ISP))(&(!(memberOf=cn=Domain Administrators*))
(!(memberOf=cn=Domain Help Desk Administrators*)
(!(memberOf=cn=Domain Department Administrators*))))))))
(version 3.0; acl "Dept Adm user access"; allow (read,
search, write,delete) userdn="ldap:///o=ISP??sub?
(memberOf=cn=Department Administrators*)" and
groupdnattr="ldap:///o=ISP?owner";)

The following ACI allows a Group Administrator add access to create new users.

(targetfilter=(objectClass=nsManagedPerson))
(version 3.0; acl "Dept Adm user create access";
allow (add) userdn="ldap:///o=ISP??sub?(memberOf=
cn=Department Administrators*)";)

The following ACI allows a Group Administrator to add self to any group/subgroup that they administer.

"Dept Adm access to add self to group and subgroups";
allow (write) userdn="ldap:///o=ISP??sub?(memberOf=
cn=Department Administrators*)" and userdn="ldap:///self";)


User Access

The following ACI provides users in Delegated Administrator tree the ability to read and search their own entry.

(targetfilter=(objectClass=nsManagedPerson))
(version 3.0; acl "User self read,search";
allow (read,search) userdn="ldap:///self";)

The following ACI grants all users in the NDA DIT with the ability to update any of their attributes except for the indicated attributes.

||nsDACapability ||mail||mailAlternateAddress
||memberOf||nsDADomain") targetfilter=(objectClass=
nsManagedPerson)) (version 3.0; acl "User self
modification"; allow (write) userdn="ldap:///self";)

The following ACI denies all users in the NDA DIT the ability to delete their own entry.

(version 3.0; acl "User self deletion"; deny (delete)
userdn="ldap:///self";)


Mail List access

The following ACI allows all designated users to create mail lists. Users can create a mailing lists if their entries contain an attribute nsdacapability with a value of mailListCreate.

(targetfilter=(objectClass=nsManagedMailList))
(version 3.0; acl "Mail list create access";
allow (add) userdn="ldap:///o=ISP??sub?
(nsDACapability=mailListCreate)";)

The following ACI allows an owner of a mail list to read, search, write, and delete the mail lists he or she owns, with one exception. An owner cannot change the nsMaxUsers value for the mail list once it has been created.

(targetfilter=(objectClass=nsManagedMailList))
(version 3.0; acl "Mail list owner access";
allow (read,search,write,delete) groupdnattr=
"ldap:///o=ISP?owner";)


Organization-level ACIs

The following ACIs are defined at the organization level; they exist for every organization and suborganization created. You might be able to optimize the number of ACIs required at this level based on your deployment requirements. If you must modify existing ACIs, you should create a sufficient number of ACIs to enforce the required access control, but at the same to time to keep the number to a minimum in order to ensure optimal performance.


Organization Administrator Access Control

The following ACI allows an organization administrator read and search access to this organization and its suborganization entries.

(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain Adm domain access";
allow (read,search) groupdn="ldap:///cn=Domain
Administrators, ou=Groups, o=Siroe, o=ISP";)

The following ACI allows an organization administrator read and search access to the Domain Administrators group entry.

o=Siroe, o=ISP") (targetattr="*") (targetfilter=(|
(objectClass=nsManagedDeptAdminGroup) (objectClass=
nsManagedDept))) (version 3.0; acl "Domain Adm dept
access"; allow (read,search) groupdn="ldap:///cn=Domain
Administrators, ou=Groups, o=Siroe, o=ISP";)

The following ACI allows an organization administrator read, search, and write access to the Organization Help Desk Administrators group entry.

ou=Groups, o=Siroe, o=ISP") (targetattr="*")
(targetfilter=(|(objectClass=nsManagedDeptAdminGroup)
(objectClass=nsManagedDept))) (version 3.0; acl
"Domain Adm dept access"; allow (read,search,write)
groupdn="ldap:///cn=Domain Administrators, ou=Groups,
o=Siroe, o=ISP";)

The following ACI allows read, search, and write access to the Domain Department Administrators group for Organization and Domain DeptAdmins. The Domain Department Administrator Group contains all the group administrators for groups defined at this organization level.

ou=Groups, o=Siroe, o=ISP") (targetattr="*")
(targetfilter=(|(objectClass=nsManagedDeptAdminGroup)
(objectClass=nsManagedDept))) (version 3.0; acl "Domain
Adm dept access"; allow (read,search,write)
groupdn="ldap:///cn=Domain Administrators, ou=Groups,
o=Siroe, o=ISP" or groupdn="ldap:///cn=Domain Department
Administrators, ou=Groups, o=Siroe, o=ISP";)

The following ACI provides the organizational administrators with read and search access to all organizational units in the organization, Siroe.

(targetattr="*") (targetfilter=(objectClass=
nsManagedOrgUnit)) (version 3.0; acl "Domain Adm
org unit access"; allow (read,search,write)
groupdn="ldap:///cn=Domain Administrators,
ou=Groups, o=Siroe, o=ISP";)

The following ACI provides Organizational administrators with all access to the groups, 'group administrator' groups and mail lists in the organization, Siroe.

(targetattr="*")
(targetfilter=(|(objectClass=nsManagedDept)
(objectClass=nsManagedDeptAdminGroup)
(objectClass=nsManagedMailList)))
(version 3.0; acl "Domain Adm dept access";
allow (all) groupdn="ldap:///cn=Domain Administrators,
ou=Groups, o=Siroe, o=ISP";)

The following ACI provides the organizational administrators with read, search, and add access to all user entries in the organization and its suborganizations.

nsManagedPerson)) (version 3.0; acl "Domain Adm
user access"; allow (read,search,add) groupdn="ldap:///
cn=Domain Administrators, ou=Groups, o=Siroe, o=ISP";)

The following ACI provides the Organization administrators with write and delete access to all users in domain s/he owns except for Top-level Administrators and Top-level Help Desk Administrators.

nsManagedPerson) (&(!(memberOf=cn=Service Administrators,
ou=Groups, o=ISP)) (!(memberOf=cn=Service Help Desk
Administrators, ou=Groups, o=ISP))))) (version 3.0; acl
"Domain Adm user modify access"; allow (write,delete)
groupdn="ldap:///cn=Domain Administrators, ou=Groups,
o=Siroe, o=ISP";)

The following ACI provides the Organization administrators with all access to suborganizations and their users, organizational units, groups, and mail lists.

(targetattr="*")
(targetfilter=(|(objectClass=nsManagedDomain)
(objectClass=nsManagedDeptAdminGroup)
(objectClass=nsManagedOrgUnit)
(objectClass=nsManagedDept)
(objectClass=nsManagedMailList)))
(version 3.0; acl "Domain Adm access";
allow (all) groupdn="ldap:///cn=Domain Administrators,
ou=Groups, o=Siroe, o=ISP";)


Organization Help Desk Administrator Access Control

The following ACI provides the organizational help desk administrators with read and search access to this organization, its suborganizations and all users.

(targetfilter=(|(objectClass=nsManagedDomain)
(objectClass=nsManagedPerson)))
(version 3.0; acl "DHDA access"; allow (read,search)
groupdn="ldap:///cn=Domain Help Desk Administrators,
ou=Groups, o=Siroe, o=ISP";)

The following ACI provides the organizational help desk administrators with all access to all mail lists defined in this organizations and its suborganizations.

(targetfilter=(objectClass=nsManagedMailList))
(version 3.0; acl "DHDA mail list access"; allow (all)
groupdn="ldap:///cn=Domain Help Desk Administrators,
ou=Groups, o=Siroe, o=ISP";)

The following ACI provides the organizational help desk administrators with write access to userPassword attribute of all users in organization except for Top-level Administrators, Top-level Help Desk Administrators, Organization Administrators and Organization Help Desk Administrators.

nsManagedPerson) (&(!(memberOf=cn=Service Administrators,
ou=Groups, o=ISP)) (&(!(memberOf=cn=Service Help Desk
Administrators, ou=Groups, o=ISP)) (&(!(memberOf=cn=Domain
Administrators, ou=Groups, o=Siroe, o=ISP)) (!(memberOf=cn=
Domain Help Desk Administrators, ou=Groups, o=Siroe,
o=ISP))))))) (version 3.0; acl "DHDA user write access";
allow (write) groupdn="ldap:///cn=Domain Help Desk
Administrators, ou=Groups, o=Siroe, o=ISP";)


Mailing List access control

The following ACI allows all users in this organization to join any mailinglist which is joinable. A mailing list is joinable if it contains an attribute mgmanJoinability whose value is set to all.

(targetfilter=(&(objectClass=nsManagedMailList)
(mgmanJoinability=all))) (version 3.0; acl "User self
subscribe access"; allow (selfwrite) userdn="ldap:///uid=*,
ou=People, o=Siroe, o=ISP";)

The following ACI allows all users read and search access to all visible mail lists in their organization. A mailing list is visible if it contains an attribute mgmanHidden whose value is set to false.

(targetfilter=(&(objectClass=nsManagedMailList)
(mgmanHidden=false))) (version 3.0; acl "User mail
list access when visible"; allow (read,search)
userdn="ldap:///uid=*, ou=People, o=Siroe, o=ISP";)

The following ACI allows all users read and search access to members of all mail lists whose members' references are visible in their organization.

(targetfilter=(&(objectClass=nsManagedMailList)
(mgmanMemberVisibility=all))) (version 3.0; acl "User
mail list member access"; allow (read,search) userdn="ldap:
///uid=*, ou=People, o=Siroe, o=ISP";)

The following ACI allows all members of a restricted mailing list read and search access to all other members of the restricted mailing lists.

(targetfilter=(&(objectClass=nsManagedMailList)(mgmanMember
Visibility=restricted))) (version 3.0; acl "User mail list
access - group"; allow (read,search) groupdnattr="ldap:///o=
ISP?mgmanMemberVisibilityGroup";)

The following ACI allows authenticated or unauthenticated users read and search access to the mailing lists with public access.

(targetfilter=(&(objectClass=nsManagedMailList)
(mgmanMemberVisibility=anyone))) (version 3.0; acl
"User mail list access - public"; allow (read,search)
userdn="ldap:///anyone";)


User access control

The following ACI provides all authenticated users of an organization with read and search access to all attributes except the userPassword of other users in the organization .

(objectClass=nsManagedPerson)) (version 3.0; acl
"User access to all users in domain"; allow (read,search)
userdn="ldap:///uid=*, ou=People, o=Siroe, o=ISP";)



Tips on Customizing Delegated Administrator ACIs


It may be necessary to customize the ACI for your deployment. Since the ACIs are completely externalized from the servlets, the only places where changes need to go are in the appropriate Directory entries. The number of changes that need to be made would depend upon the level at which the ACI changes are being affected.

Adding, removing or modifying ACIs at the top level or the root node are the easiest to do. The changes just need to be made in the Directory entry of the root node.

However, if you make modify ACIs at the organization level, and if the changes must be applied to all organizations that are subsequently created, then you may need to affect these changes in more than one place. For example, when you create a new organization, the default ACIs are picked up from the appropriate node in the appropriate organization configuration subtree. By default, Delegated Administrator uses a default configuration that can be found under the following entry:

dn: cn=domainConfiguration, ou=config, o=ISP

Once you've located the domain configuration subtree, locate the following entry in the subtree:

dn: cn=Domain, cn=objects, cn=servletsconf, <domain configuration subtree DN>

Make the necessary ACI modifications using the same ACI form as other ACI-related attributes in this entry.

In order for the ACI changes to take effect, you must do one of the following:


Previous     Contents     Index     Next     
Copyright © 2000 Sun Microsystems, Inc. Some preexisting portions Copyright © 2000 Netscape Communications Corp. All rights reserved.

Last Updated May 24, 2001