Where To Place Access Control Rules; Using Filtered Access Control Rules - Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT Deployment Manual

Chapter 8. Designing a Secure Directory
For example, to make sure that Mail Administrators do not allow write access to the common name
attribute, then set an ACI that explicitly denies write access to the common name attribute.

8.7.2.4. Where to Place Access Control Rules

Access control rules can be placed on any entry in the directory. Often, administrators place access
control rules on entries with the object classes domainComponent, country, organization,
organizationalUnit, inetOrgPerson, or group.
Organize rules into groups as much as possible in order to simplify ACL administration. Rules
generally apply to their target entry and to all of that entry's children. Consequently, it is best to place
access control rules on root points in the directory or on directory branch points, rather than scatter
them across individual leaf (such as person) entries.

8.7.2.5. Using Filtered Access Control Rules

One of the more powerful features of the Directory Server ACI model is the ability to use LDAP search
filters to set access control. Use LDAP search filters to set access to any directory entry that matches
a defined set of criteria.
For example, allow read access for any entry that contains an organizationalUnit attribute that is
set to Marketing.
Filtered access control rules allow predefined levels of access. Suppose the directory contains home
address and telephone number information. Some people want to publish this information, while
others want to be unlisted. There are several ways to address that:
• Create an attribute on every user's directory entry called publishHomeContactInfo.
• Set an access control rule that grants read access to the homePhone and homePostalAddress
attributes only for entries whose publishHomeContactInfo attribute is set to true (meaning
enabled). Use an LDAP search filter to express the target for this rule.
• Allow the directory users to change the value of their own publishHomeContactInfo attribute to
either true or false. In this way, the directory user can decide whether this information is publicly
available.
For more information about using LDAP search filters and on using LDAP search filters with ACIs,
refer to the Red Hat Directory Server Administrator's Guide.
8.7.3. Viewing ACIs: Get Effective Rights
It can be necessary to view access controls set on an entry to grant fine-grained access control or for
efficient entry management. Get effective rights is an extended ldapsearch which returns the access
control permissions set on each attribute within an entry, and allows an LDAP client to determine what
operations the server's access control configuration allows a user to perform.
The access control information is divided into two groups of access: rights for an entry and rights
for an attribute. "Rights for an entry" means the rights, such as modify or delete, that are limited to
that specific entry. "Rights for an attribute" means the access right to every instance of that attribute
throughout the directory.
This kind of detailed access control may be necessary in the following types of situations:
130