Determining Data Access - Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT Deployment Manual

Chapter 2. Planning the Directory Data
This approach allows an organization's administrators to function as the directory content managers.
• Create roles that give groups of people read or write access privileges.
For example, there can be roles created for human resources, finance, or accounting. Allow each
of these roles to have read access, write access, or both to the data needed by the group. This
could include salary information, government identification numbers, and home phone numbers and
address.
For more information about roles and grouping entries, see
Entries".
There may be multiple individuals who need to have write access to the same information. For
example, an information systems (IS) or directory management group probably requires write access
to employee passwords. It may also be desirable for employees themselves to have write access to
their own passwords. While, generally, multiple people will have write access to the same information,
try to keep this group small and easy to identify. Keeping the group small helps ensure data integrity.
For information on setting access control for the directory, see
Directory.

2.3.7. Determining Data Access

After determining data ownership, decide who can read each piece of data. For example, employees'
home phone numbers can be stored in the directory. This data may be useful for a number of
organizations, including the employee's manager and human resources. Employees should be able to
read this information for verification purposes. However, home contact information can be considered
sensitive, so it probably should not be widely available across the enterprise.
For each piece of information stored in the directory, decide the following:
• Can the data be read anonymously?
The LDAP protocol supports anonymous access and allows easy lookups for common information
such as office sites, email addresses, and business telephone numbers. However, anonymous
access gives anyone with access to the directory access to the common information. Consequently,
use anonymous access sparingly.
• Can the data be read widely across the enterprise?
Access control can be set so that the client must log into (or bind to) the directory to read specific
information. Unlike anonymous access, this form of access control ensures that only members of
the organization can view directory information. It also captures login information in the directory's
access log so there is a record of who accessed the information.
For more information about access controls, see
• Is there an identifiable group of people or applications that need to read the data?
Anyone who has write privileges to the data generally also needs read access (with the exception of
write access to passwords). There may also be data specific to a particular organization or project
group. Identifying these access needs helps determine what groups, roles, and access controls the
directory needs.
16
Section 4.3, "Grouping Directory
Chapter 8, Designing a Secure
Section 8.7, "Designing Access Control".