test

Sun Java System Delegated Administrator 6.4 管理指南

Access Manager

-------------------------------------------------------------------------------------------------------------

# retain
#
aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Proxy user rights”;
allow (proxy)
userdn = “ldap:///cn=puser,ou=DSAME Users,$rootSuffix”; )

操作:保留。

此 ACI 可授予系统用户访问 Access Manager 的权限。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# retain
#
aci:
 (target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS special dsame user rights for all under the
root suffix”;
allow (all)
userdn = “ldap:///cn=dsameuser,ou=DSAME Users,$rootSuffix”; )

操作:保留。

此 ACI 可授予系统用户访问 Access Manager 的权限。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# retain
#
aci:
(target=”ldap:///$rootSuffix”)(targetattr=”*”)|
(version 3.0;acl “S1IS special ldap auth user rights”;
allow (read,search)
userdn = “ldap:///cn=amldapuser,ou=DSAME Users,$rootSuffix”; )

操作:保留。

此 ACI 可授予系统用户访问 Access Manager 的权限。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target=”ldap:///cn=amldapuser,ou=DSAME Users,$rootSuffix”)
(targetattr = “*”)
(version 3.0;
acl “S1IS special ldap auth user modify right”;
deny (write)
roledn != “ldap:///cn=Top-level Admin Role,$rootSuffix”;)

操作:放弃。

此 ACI 可阻止顶级管理员 ( Top-Level Administrator, TLA) 修改 amldapuser 帐户。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# retain
#
aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Top-level admin rights”;
allow (all)
roledn = “ldap:///cn=Top-level Admin Role,$rootSuffix”; )

操作:保留。

此 ACI 可向顶级管理员角色授予访问权限。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(targetattr=”iplanet-am-saml-user || iplanet-am-saml-password”)
(targetfilter=”(objectclass=iplanet-am-saml-service)”)
(version 3.0; acl “S1IS Right to modify saml user and password”;
deny (all)
(roledn != “ldap:///cn=Top-level Admin Role,$rootSuffix”)
AND (userdn != “ldap:///cn=dsameuser,ou=DSAME Users,$rootSuffix”)
AND (userdn != “ldap:///cn=puser,ou=DSAME Users,$rootSuffix”); )

操作:放弃。

此 ACI 可保护 SAML 相关属性。

-------------------------------------------------------------------------------------------------------------