1. Manuals
  2. Brands
  3. Red Hat Manuals
  4. Server
  5. DIRECTORY SERVER 7.1 - DEPLOYMENT
  6. Deployment manual

When To Deny Access - Red Hat DIRECTORY SERVER 7.1 - DEPLOYMENT Deployment Manual

Hide thumbs
Table of Contents

Advertisement

Limit the scope of your allow access rules to include only the smallest possible
subset of users or client applications. For example, you can set permissions that
allow users to write to any attribute on their directory entry, but then deny all users
except members of the Directory Administrators group the privilege of writing to
the
attribute. Alternatively, you can write two access rules that allow write
uid
access in the following ways:
Create one rule that allows write privileges to every attribute except the
attribute. This rule should apply to everyone.
Create one rule that allows write privileges to the
should apply only to members of the Directory Administrators group.
By providing only allow privileges you avoid the need to set an explicit deny
privilege.

When to Deny Access

You rarely need to set an explicit deny. However, you may find an explicit deny
useful in the following circumstances:
You have a large directory tree with a complicated ACL spread across it.
For security reasons, you find that you suddenly need to deny access to a particular
user, group, or physical location. Rather than spend the time to carefully examine
your existing ACL to understand how to restrict appropriately the allow
permissions, you may want to temporarily set the explicit deny until you have time
to do this analysis. If your ACL has become this complicated, then, in the long run,
the deny ACI only adds to your administrative burden. As soon as possible, rework
your ACL to avoid the explicit deny and simplify your overall access control
scheme.
You want to restrict access control based on a day of the week or an hour of the
day.
For example, you can deny all writing activities from Sunday at 11:00 p.m.
(2300) to Monday at 1:00 a.m. (0100). From an administrative point of view, it
may be easier to manage an ACI that explicitly restricts time-based access of
this kind than to search through the directory for all the allow-for-write ACIs
and restrict their scopes in this time frame.
You want to restrict privileges when you are delegating directory
administration authority to multiple people.
Designing Access Control
attribute. This rule
uid
Chapter 8
Designing a Secure Directory
uid
179

Advertisement

Table of Contents
loading

Related Manuals for Red Hat DIRECTORY SERVER 7.1 - DEPLOYMENT

Related Content for Red Hat DIRECTORY SERVER 7.1 - DEPLOYMENT

This manual is also suitable for:

Directory server 7.1

Table of Contents