Appendix A
Root and Domain ACI Examples
The ACIs listed in this Appendix are the default ACIs installed when a domain or root node is created in the directory information tree. These ACIs can be modified for your system needs. You can also view these ACIs on-line by doing an LDAP search on the root and domain entries. Note that domain organization ACIs must be added using LDAP when domain organizations are created. This Appendix contains the following sections:
Note
|
If you are using a DC Tree for domain, user, and group entries (that is, you do not have an Organization Tree), then all the ACIs for the Organization Tree described in this Appendix are not needed. In this case, where "<OrgRoot>" appears in ACIs for DC Tree, change them to the value of <DCRoot>.
|
Variable Definitions in ACI Example
<OrgRoot> - Root of the Organization Tree. This is where the user and group entries are created in a default installation.
<DCRoot> - Root of the Domain Component Tree. This is where domain entries are created.
<OrgNodeDN> - Domain node in the Organization Tree. This is where the user and group entries for a domain reside.
<DCNodeDN> - Domain node in the DC Tree. This is where the user and group entries for a domain reside.
<DomainOrgNodeDN> - Root of the Domain Component Tree. This is where domain entries are created.
Organization Tree Root Node ACIs
The ACIs below grant required access to Top-level Administrators, Domain Administrators, Domain Organization Administrators, Family Group Administrators, Mail List Owners, and End Users. Where necessary, additional ACIs are set on domain nodes and domain organization nodes further down the tree. If you are setting up namespace from scratch (that is, you are not using the iPlanet Message Server installer for preparing the namespace), then you need to set the ACIs on the Organization Tree Root Node.
Code Example A-1    Organization Tree Root Node ACIs
dn: <OrgRoot>
|
changetype: modify
|
add: aci
|
#
|
#-----------------------------------
|
# iDA User access control
|
#
|
# Allow read and search access to all attributes in all entries
|
#
|
aci: (targetattr="*") (version 3.0; acl "NDAUser access -
|
product=ims5.0,class=nda,num=1,version=1"; allow (read,search)
|
userdn="ldap:///uid=NDAUser,ou=config,<OrgRoot>";)
|
#
|
# Allow write access to nsNum* attributes of all domain entries
|
#
|
aci: (targetattr="nsNumUsers||nsNumDepts||nsNumMailLists||nsNumDomains")
|
(version 3.0; acl "NDAUser access - product=ims5.0, class=nda,num=2,
|
version=1"; allow (write) userdn="ldap:///uid=NDAUser,ou=config,
|
<OrgRoot>";)
|
#
|
#-----------------------------------
|
# Service Administrator access control
|
#
|
# Allow read and search access to all DCROOT nodes
|
#
|
aci: (targetattr="*") (version 3.0; acl "SA root node access -
|
product=ims5.0,class=nda,num=3,version=1"; allow (all)
|
groupdn="ldap:///cn=Service Administrators,ou=Groups,<OrgRoot>";)
|
#
|
#-----------------------------------
|
# Domain Administrator control.
|
#
|
# Deny write and delete access to any domain container node.
|
#
|
aci: (targetfilter="objectclass=nsManagedDomain") (version 3.0; acl
|
"Domain Admin domain container access -
|
product=ims5.0,class=nda,num=5,version=1"; deny (delete,write)
|
userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Domain Administrators*)" or
|
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Domain Administrators*)";)
|
#
|
#-----------------------------------
|
# User access control
|
#
|
# Allow read and search access to self
|
#
|
aci: (targetattr="*") (targetfilter=(objectClass=inetOrgPerson)) (version
|
3.0; acl "User self search and read - product=ims5.0,class=nda,num=6,
|
version=1"; allow (read,search) userdn="ldap:///self";)
|
#
|
# Allow write access to self
|
#
|
aci: (targetattr="*") (version 3.0; acl "Allow self entry modification -
|
product=ims5.0,class=nda,num=7,version=1";
|
allow (write) userdn = "ldap:///self";)
|
#
|
# Deny write access to self for uid, ou, owner,
|
# nsDAModifiableBy, nsDACapability, mail, mailAlternateAddress,
|
# memberOf, and nsDADomain attributes
|
#
|
aci: (targetattr="uid||ou||owner||nsDAModifiableBy||nsDACapability||
|
mail||mailAlternateAddress||memberOf||nsDADomain||inetuserstatus||
|
mailuserstatus||memberOfManagedGroup||mailQuota||mailMsgQuota||
|
inetSubscriberAccountId||dataSource||mailhost||mailAllowedServiceAccess
|
||pabURI||inetCOS") (targetfilter=(objectClass=nsManagedPerson))
|
(version 3.0; acl "User self modification - product=ims5.0,class=nda,
|
num=8,version=1"; deny (write) userdn = "ldap:///self" and
|
userdn != "ldap:///<OrgRoot>??sub?(memberOf=cn=Domain Administrators*)"
|
and userdn !=
|
"ldap:///<DCRoot>??sub?(memberOf=cn=Domain Administrators*)"
|
and groupdn != "ldap:///cn=Service Administrators,ou=groups,<OrgRoot>";)
|
#
|
# Deny delete access to self
|
#
|
aci: (targetfilter=(objectClass=inetOrgPerson)) (version 3.0; acl
|
"User self deletion - product=ims5.0,class=nda,num=9,version=1";
|
deny (delete) userdn="ldap:///self";)
|
#
|
#-----------------------------------
|
# Mail List access control
|
#
|
# Allow designated users to create mail lists
|
#
|
aci: (targetattr="*")(targetfilter=(objectClass=inetMailGroupManagement))
|
(version 3.0; acl "Mail list create access - product=ims5.0,class=nda,
|
num=10,version=1"; allow (add)
|
userdn="ldap:///<OrgRoot>??sub?(nsDACapability=mailListCreate)";)
|
#
|
# Allow maillist owner read, search, write, and delete access
|
# to the maillists s/he owns except for the nsMaxUsers attr
|
#
|
aci: (targetattr="*") (targetfilter=(objectClass=inetMailGroupManagement))
version 3.0; acl "Mail list owner access - product=ims5.0,class=nda,num=11,
version=1"; allow (read,search,write,delete)
groupdnattr="ldap:///<OrgRoot>?owner";)
|
#
|
#-----------------------------------
|
# Family Group Administrator access control
|
#
|
# family group read access
|
#
|
aci: (targetattr="*") (targetfilter=(objectClass=inetManagedGroup))
|
(version 3.0; acl "Family Group Adm group read & search access -
|
product=ims5.0,class=nda,num=12,version=1"; allow (read,search)
|
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Family Group
|
Administrators*)" and groupdnattr="ldap:///<OrgRoot>?nsDAModifiableBy";)
|
#
|
# family group write access for 'description' attribute
|
#
|
aci: (targetattr="description")
|
(targetfilter=(objectClass=inetManagedGroup))
|
(version 3.0; acl "Family Group Adm description write access -
|
product=ims5.0,class=nda,num=13,version=1"; allow (write)
|
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Family Group
|
Administrators*)" and groupdnattr="ldap:///<OrgRoot>?nsDAModifiableBy";)
|
#
|
# family group write access for 'mnggrpCurrentUsers' attribute
|
#
|
aci: (targetattr="mnggrpCurrentUsers")
|
(targetfilter=(objectClass=inetManagedGroup)) (version 3.0; acl "Family
|
Group Adm description write access - product=ims5.0,class=nda,num=14,
|
version=1"; allow (write)
|
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Family Group
|
Administrators*)" and groupdnattr="ldap:///<OrgRoot>?nsDAModifiableBy";)
|
#
|
# family member create,delete,modify permissions
|
#
|
aci: (targetattr="*") (targetfilter=(objectClass=nsManagedPerson))
|
(version 3.0;acl "Family Group Adm member access - product=ims5.0,
|
class=nda, num=15,version=1"; allow (add,read,search,write,delete)
|
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Family Group
|
Administrators*)" and groupdnattr="ldap:///<OrgRoot>?nsDAModifiableBy";)
|
#
|
# access to add,remove family admins of the same admin group
|
#
|
aci: (targetattr="uniquemember")
|
(targetfilter=(&(|(objectClass=nsManagedDept)
|
(objectClass=nsManagedDeptAdminGroup))(cn=Family Group
|
Administrators*))) (version 3.0;acl "Family Group Adm admin write
|
access - product=ims5.0,class=nda,num=16,version=1"; allow (write)
|
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Family Group
|
Administrators*)" and groupdnattr="ldap:///<OrgRoot>?uniquemember";)
|
#
|
# access to add,remove memberof attribute
|
#
|
aci: (targetattr="memberOf") (targetfilter=(objectClass=nsManagedPerson))
|
(version 3.0;acl "Family Adm user access -
|
product=ims5.0,class=nda,num=17,version=1"; allow (write)
|
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Family Group
|
Administrators*)" and groupdnattr="ldap:///<OrgRoot>?nsDAModifiableBy";)
|
#
|
#-----------------------------------
|
# Domain Organization Administrator
|
#
|
# access to the Domain Organization nodes.
|
#
|
aci: (targetattr="*") (targetfilter=(objectClass=inetdomainorg))(version
|
3.0; acl "Domain Organization Administrator - Dom Org node read & search
|
access - product=ims5.0,class=nda,num=21,version=1"; allow (read,search)
|
groupdnattr="ldap:///<OrgRoot>?nsDAModifiableBy";)
|
#
|
# write access for selected attribute
|
#
|
aci: (targetattr="description||domOrgMaxUsers")
|
(targetfilter=(objectClass=inetdomainorg)) (version 3.0; acl "Domain
|
Organization Administrator - Dom Org node write access -
|
product=ims5.0,class=nda,num=22,version=1"; allow (write)
|
groupdnattr="ldap:///<OrgRoot>?nsDAModifiableBy";)
|
|
DC Tree Root Node ACIs
The ACIs below grant required access to Top-level Administrators, Domain Administrators, Domain Organization Administrators, Family Group Administrators, Mail List Owners, and End Users. Where necessary, additional ACIs are set on domain nodes and domain organization nodes further down the tree. If you are setting up namespace from scratch (that is, you are not using the iPlanet Message Server installer for preparing the namespace), then you need to set the ACIs on the DC Tree Node.
Code Example A-2    DC Tree Root Node ACIs
dn: <DCRoot>
changetype: modify
|
add: aci
|
#-----------------------------------
|
#
|
# iDA User access control
|
#
|
# Allow read and search access to all attributes in all entries
|
#
|
aci: (targetattr="*") (version 3.0; acl "NDAUser access -
product=ims5.0,class=nda,num=1,version=1"; allow (read,search)
userdn="ldap:///uid=NDAUser,ou=config,<OrgRoot>";)
|
#
|
# Allow write access to nsNum* attributes of all domain entries
|
#
|
aci: (targetattr="nsNumUsers||nsNumDepts||nsNumMailLists||nsNumDomains")
|
(version 3.0; acl "NDAUser access - product=ims5.0,class=nda,num=2,
|
version=1"; allow (write) userdn="ldap:///uid=NDAUser,
|
ou=config,<OrgRoot>";)
|
#
|
#-----------------------------------
|
# Service Administrator access control
|
#
|
# Allow read and search access to all DCROOT nodes
|
#
|
aci: (targetattr="*") (version 3.0; acl "SA root node access -
|
product=ims5.0,class=nda,num=3,version =1"; allow (all)
|
groupdn="ldap:///cn=Service Administrators,ou=Groups,<OrgRoot>";)
|
#
|
#-----------------------------------
|
# Domain Administrator control.
|
#
|
# Access to dcroot to search for domain components
|
#
|
aci: (targetattr="*") (version 3.0; acl "Domain Admin dc root access -
|
product=ims5.0,class=nda,num=4 ,version=1"; allow (read,search)
|
userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Domain Administrators*)" or
|
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Domain Administrators*)";)
|
#
|
# Deny write and delete access to any domain container node.
|
#
|
aci: (targetfilter="objectclass=nsManagedDomain") (version 3.0; acl
|
"Domain Admin domain container access -
|
product=ims5.0,class=nda,num=5,version=1"; deny (delete,write)
|
userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Domain Administrators*)" or
|
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Domain Administrators*)";)
|
#
|
#-----------------------------------
|
# User access control
|
#
|
# Allow read and search access to self
|
#
|
aci: (targetattr="*") (targetfilter=(objectClass=inetOrgPerson)) (version
|
3.0; acl "User self search and read - product=ims5.0,class=nda, num=6,
|
version=1"; allow (read,search) userdn="ldap:///self";)
|
#
|
# Allow write access to self
|
#
|
aci: (targetattr = "*") (version 3.0; acl "Allow self entry modification
|
- product=ims5.0,class=nda,num=7,version=1"; allow (write) userdn =
|
"ldap:///self";)
|
#
|
# Deny write access to self for uid, ou, owner,
|
# nsDAModifiableBy, nsDACapability, mail, mailAlternateAddress,
|
# memberOf, and nsDADomain attributes
|
#
|
aci: (targetattr="uid||ou||owner||nsDAModifiableBy||nsDACapability||
|
mail||mailAlternateAddress||memberOf||nsDADomain||inetuserstatus||
|
mailuserstatus||memberOfManagedGroup||mailQuota||mailMsgQuota||
|
inetSubscriberAccountId||dataSource||mailhost||mailAllowedServiceAccess
||pabURI||inetCOS") (targetfilter=(objectClass=nsManagedPerson))
|
(version 3.0; acl "User self modification - product=ims5.0,class=nda,
|
num=8, version=1"; deny (write) userdn = "ldap:///self" and userdn
|
!= "ldap:///<DCRoot>??sub?(memberOf=cn=Domain Administrators*)" and
|
userdn != "ldap:///<OrgRoot>??sub?(memberOf=cn=Domain Administrators*)"
|
and groupdn != "ldap:///cn=Service Administrators,ou=groups,<OrgRoot>";)
|
#
|
# Deny delete access to self
|
#
|
aci: (targetfilter=(objectClass=inetOrgPerson)) (version 3.0; acl "User
|
self deletion - product=ims5.0,class=nda,num=9,version=1"; deny (delete)
userdn="ldap:///self";)
|
#
|
#-----------------------------------
|
# Mail List access control
|
#
|
# Allow designated users to create mail lists
|
#
|
aci: (targetattr="*") (targetfilter=(objectClass=inetMailGroupManagement))
(version 3.0; acl "Mail list create access - product=ims5.0,class=nda,
num=10, version=1"; allow (add)
userdn="ldap:///<DCRoot>??sub?(nsDACapability=mailListCreate)";)
|
#
|
# Allow maillist owner read, search, write, and delete access
|
# to the maillists s/he owns except for the nsMaxUsers attr
|
#
|
aci: (targetattr="*") (targetfilter=(objectClass=inetMailGroupManagement))
(version 3.0; acl "Mail list owner access -
product=ims5.0,class=nda,num=11,version=1"; allow (read,search,write,delete)
groupdnattr="ldap:///<DCRoot>?owner";)
|
#
|
#-----------------------------------
|
# Family Group Administrator access control
|
#
|
# family group read access
|
#
|
aci: (targetattr="*") (targetfilter=(objectClass=inetManagedGroup))
(version 3.0; acl "Family Group Adm group read & search access -
|
product=ims5.0 ,class=nda,num=12,version=1"; allow (read,search)
|
userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Family Group
|
Administrators*)" and groupdnattr="ldap:///<DCRoot>?nsDAModifiableBy";)
|
#
|
# family group write access for 'description' attribute
|
#
|
aci: (targetattr="description")
|
(targetfilter=(objectClass=inetManagedGroup)) (version 3.0; acl "Family
|
Group Adm description write access -
|
product=ims5.0,class=nda,num=13,version=1"; allow (write)
|
userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Family Group
|
Administrators*)" and groupdnattr="ldap:///<DCRoot>?nsDAModifiableBy";)
|
#
|
# family group write access for 'mnggrpCurrentUsers' attribute
|
#
|
aci: (targetattr="mnggrpCurrentUsers")
|
(targetfilter=(objectClass=inetManagedGroup)) (version 3.0; acl "Family
|
Group Adm description write access -
|
product=ims5.0,class=nda,num=14,version=1"; allow (write)
|
userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Family Group
|
Administrators*)" and groupdnattr="ldap:///<DCRoot>?nsDAModifiableBy";)
|
#
|
# family member create,delete,modify permissions
|
#
|
aci: (targetattr="*") (targetfilter=(objectClass=nsManagedPerson))
|
(version 3.0;acl "Family Group Adm member access -
|
product=ims5.0,class=nda,num=15,version=1"; allow
|
(add,read,search,write,delete)
|
userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Family Group
|
Administrators*)" and groupdnattr="ldap:///<DCRoot>?nsDAModifiableBy";)
|
#
|
# access to add,remove family admins of the same admin group
|
#
|
aci: (targetattr="uniquemember")
|
(targetfilter=(&(|(objectClass=nsManagedDept)(objectClass=nsManagedDept
|
AdminGroup))(cn=Family Group Administrators*))) (version 3.0;acl "Family
|
Group Adm admin write access - product=ims5.0,class=nda,num=16,
|
version=1"; allow (write) userdn="ldap:///<DCRoot>??sub?(memberOf=cn=
|
Family Group Administrators*)" and
|
groupdnattr="ldap:///<DCRoot>?uniquemember";)
|
#
|
# access to add,remove memberof attribute
|
#
|
aci: (targetattr="memberOf") (targetfilter=(objectClass=nsManagedPerson))
|
(version 3.0;acl "Family Adm user access - product=ims5.0,class=nda,
|
num=17,version=1"; allow (write)
|
userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Family Group
|
Administrators*)" and groupdnattr="ldap:///<DCRoot>?nsDAModifiableBy";)
|
#
|
# Family Admin needs to read domain to get the dn
|
#
|
aci: (targetattr="objectclass||preferredmailhost||
|
preferredmailmessagestore") (targetfilter=(objectClass=domain)) (version
|
3.0;acl "Family Adm domain access - product=ims5.0,class=nda,num=18,
|
version=1"; allow (read,search)
|
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Family Group
|
Administrators*)" or userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Family
|
Group Administrators*)";)
|
#
|
#-----------------------------------
|
# Domain Organization Administrator
|
#
|
# Allow domain organization administrators to read the
|
# attributes from the dc tree.
|
#
|
aci: (targetattr="objectclass||preferredmailhost||
|
preferredmailmessagestore||dc") (targetfilter=(objectClass=domain))
|
(version 3.0;acl "Domain Organization Admin domain access -
|
product=ims5.0,class=nda,num=20,version=1"; allow (read,search)
|
userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Domain Organization
|
Administrators*)" or userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Domain
|
Organization Administrators*)";)
|
#
|
# access to the Domain Organization nodes.
|
#
|
aci: (targetattr="*") (targetfilter=(objectClass=inetdomainorg))(version
|
3.0; acl "Domain Organization Administrator - Dom Org node read & search
|
access - product=ims5.0,class=nda,num=21,version=1"; allow (read,search)
|
groupdnattr="ldap:///<DCRoot>?nsDAModifiableBy";)
|
#
|
# write access for selected attribute
|
#
|
aci: (targetattr="description||domOrgMaxUsers")
|
(targetfilter=(objectClass=inetdomainorg))(version 3.0; acl "Domain
|
Organization Administrator - Dom Org node write access -
|
product=ims5.0,class=nda,num=22,version=1"; allow (write)
|
groupdnattr="ldap:///<DCRoot>?nsDAModifiableBy";)
|
|
Hosted Domain ACIs
The ACIs below grant required access to Domain Administrators, Mail List Owners, and End Users. The six ACIs below are for the standard two-tree namespace. Five rules on the Organization Tree and one on the DC Tree. If you are using a namespace with just a single DC Tree, all six rules are set on the hosted domain node. These ACIs must be set for every domain you provision.
Code Example A-3    Hosted Domain ACIs
dn: <OrgNodeDN>
|
changetype: modify
|
add: aci
|
#
|
#-----------------------------------
|
# Domain Administrator access control
|
#
|
# allow full access to the domains user/group subtree
|
#
|
aci: (targetattr="*") (version 3.0; acl "Domain Admin Domain access -
|
product=ims5.0,class=nda,num=18,version=1"; allow (all)
|
groupdn="ldap:///cn=Domain Administrators,ou=Groups,<OrgNodeDN>";)
|
#
|
#-----------------------------------
|
# End user access control
|
# allow users to read and search all users in the domain
|
#
|
aci: (targetattr!="userPassword")
|
(targetfilter=(|(objectClass=inetOrgPerson)(objectclass=nsManagedDomain
|
))) (version 3.0; acl "User access to all users in domain -
|
product=ims5.0,class=nda,num=19,version=1"; allow (read,search)
|
userdn="ldap:///<OrgNodeDN>??sub?(objectclass=inetOrgPerson)";)
|
#
|
# allow users to add themselves to self subscribe mail lists
|
#
|
aci: (targetattr="uniqueMember")
|
(targetfilter=(&(objectClass=nsManagedMailList)
|
(|(mgmanJoinability=anyone)(mgmanJoinability=all))))
|
(version 3.0; acl "User mail list self subscribe access -
|
product=ims5.0,class=nda,num=20,version=1"; allow (selfwrite)
|
userdn="ldap:///<OrgNodeDN>??sub?(objectclass=inetOrgPerson)";)
|
#
|
# hide group members when they are marked hidden
|
#
|
aci: (targetattr!="uniqueMember||mgrpRfc822MailMember")
|
(targetfilter=(&(objectClass=inetMailGroupManagement)
|
(mgmanHidden=false))) (version 3.0; acl "User mail list access when
|
visible - product=ims5.0,class=nda,num=21,version=1"; allow
|
(read,search)
|
userdn="ldap:///<OrgNodeDN>??sub?(objectclass=inetOrgPerson)";)
|
#
|
# hide group members when they are marked hidden
|
#
|
aci: (targetattr="uniqueMember||mgrpRfc822MailMember")
|
(targetfilter=(&(objectClass=inetMailGroupManagement)
|
(|(mgmanMemberVisibility=anyone)(mgmanMemberVisibility=all)))) (version
|
3.0; acl "User mail list member access -
|
product=ims5.0,class=nda,num=22,version=1"; allow (read,search)
|
userdn="ldap:///<OrgNodeDN>??sub?(objectclass=inetOrgPerson)";)
|
|
dn: <DCNodeDN>
|
changetype: modify
|
add: aci
|
#
|
#-----------------------------------
|
# Domain Administrator access to iCS attributes
|
#
|
aci: (targetattr="icsTimeZone||icsMandatorySubscribed||
|
icsMandatoryView||icsDefaultAccess||icsRecurrenceBound||
|
icsRecurrenceDate||icsAnonymousLogin||icsAnonymousAllowWrite||
|
icsAnonymousCalendar||icsAnonymousSet||icsAnonymousDefaultSet||
|
icsSessionTimeout||icsAllowRights||icsExtended||
|
icsExtendedDomainPrefs")(targetfilter=(objectClass=icsCalendarDomain))
|
(version 3.0; acl "Domain Adm calendar access - product=ims5.0,
|
class=nda,num=16,version=1"; allow (all) groupdn="ldap:///cn=Domain
|
Administrators,ou=Groups,<OrgNodeDN>";)
|
|
Domain Organization ACIs
These need to be added to every domain organization provisioned.
Code Example A-4    Domain Organization ACIs
dn: <DomainOrgNodeDN>
|
changetype: modify
|
add: aci
|
#
|
# Rights to modify, add, delete users
|
#
|
aci: (target="ldap:///uid=*,ou=people,<DomainOrgNodeDN>")
|
(targetattr ="*")
|
(targetfilter=(objectclass=organizationalPerson))
|
(version 3.0; acl "Domain Organization Admin User add,delete,write -
|
product=ims5.0,class=nda,num=201,version=1";
|
allow (add,write,delete)
|
groupdn="ldap:///cn=Domain Organization
|
Administrators,<DomainOrgNodeDN>";)
|
#
|
# Rights to modify, add, delete mailing lists.
|
#
|
aci: (target="ldap:///cn=*,ou=groups,<DomainOrgNodeDN>")
|
(targetattr ="*")
|
(targetfilter=(objectclass=inetMailGroup))
|
(version 3.0; acl "Domain Organization Admin User add,delete,write -
|
product=ims5.0,class=nda,num=202,version=1";
|
allow (add,write,delete)
|
groupdn="ldap:///cn=Domain Organization
|
Administrators,<DomainOrgNodeDN>";)
|
|