Targets; Permissions - Red Hat DIRECTORY SERVER 7.1 - DEPLOYMENT Deployment Manual

Designing Access Control
You can set a permission that allows anyone binding as Babs Jensen to write to
Babs Jensen's telephone number. The bind rule in this permission is the part that
states "if you bind as Babs Jensen." The target is Babs Jensen's phone number, and
the permission is write access.

Targets

You must decide what entry is targeted by every ACI you create in your
directory. If you target a directory entry that is a directory branch point, then that
branch point, as well as all of its child entries, are included in the scope of the
permission. If you do not explicitly specify a target entry for the ACI, then the ACI
is targeted to the directory entry that contains the ACI statement. Also, the default
set of attributes targeted by the ACI is any attribute available in the targeted
entry's object class structure.
For every ACI, you can target only one entry or only those entries that match a
single LDAP search filter.
In addition to targeting entries, you can also target attributes on the entry. This
allows you to set a permission that applies to only a subset of attribute values.
You can target sets of attributes by explicitly naming those attributes that are
targeted or by explicitly naming the attributes that are not targeted by the ACI.
Use the latter case if you want to set a permission for all but a few attributes
allowed by an object class structure.

Permissions

You allow or deny permissions. In general, you should avoid denying
permissions for the reasons explained in "Allowing or Denying Access," on
page 178.
You can allow or deny the following permissions:
• Read — Indicates whether directory data may be read.
• Write — Indicates whether directory data may be changed or created. This
permission also allows directory data to be deleted but not the entry itself. To
delete an entire entry, the user must have delete permissions.
• Search — Indicates whether the directory data can be searched. This differs
from the Read permission in that Read allows directory data to be viewed if it
is returned as part of a search operation. For example, if you allow searching
for common names and read for a person's room number, then the room
number can be returned as part of the common name search, but the room
number cannot, itself, be searched for. This would prevent people from
searching your directory to see who it is that sits in a particular room.
176 Red Hat Directory Server Deployment Guide • May 2005