Granting Conditional Access To A Group Or Role - Red Hat DIRECTORY SERVER 8.0 - ADMINISTRATION Administration Manual

Chapter 6. Managing Access Control

6.9.6. Granting Conditional Access to a Group or Role

In many cases, when you grant a group or role privileged access to the directory, you want to
ensure that those privileges are protected from intruders trying to impersonate your privileged users.
Therefore, in many cases, access control rules that grant critical access to a group or role are often
associated with a number of conditions.
example.com has created a directory administrator role for each of its hosted companies,
HostedCompany1 and HostedCompany2. It wants these companies to be able to manage their
own data and implement their own access control rules while securing it against intruders. For this
reason, HostedCompany1 and HostedCompany2 have full rights on their respective branches of the
directory tree, provided the following conditions are fulfilled:
• Connection authenticated using SSL
• Access requested between 8 a.m. and 6 p.m., Monday through Thursday
• Access requested from a specified IP address for each company
These conditions are illustrated in a single ACI for each company, HostedCompany1 and
HostedCompany2. Because the content of these ACIs is the same, the examples below illustrate the
HostedCompany1 ACI only.
6.9.6.1. ACI "HostedCompany1"
In LDIF, to grant HostedCompany1 full access to their own branch of the directory under the
conditions stated above, write the following statement:
aci:(target="ou=HostedCompany1,ou=corporate-clients,dc=example,dc=com")
(targetattr= "*") (version 3.0; acl "HostedCompany1";allow (all)
(roledn="ldap:///cn=DirectoryAdmin,ou=HostedCompany1,
ou=corporate-clients, dc=example,dc=com") and
(authmethod="ssl") and (dayofweek="Mon,Tues,Wed,Thu") and (timeofday >= "0800" and
timeofday <= "1800") and (ip="255.255.123.234"); )
This example assumes that the ACI is added to the ou=HostedCompany1, ou=corporate-
clients,dc=example,dc=com entry.
From the Console, set this permission by doing the following:
1. In the Directory tab, right-click the HostedCompany1 entry under the example.com node in the
left navigation tree, and choose Set Access Permissions from the pop-up menu to display the
Access Control Manager.
2. Click New to display the Access Control Editor.
3. In the Users/Groups tab, type HostedCompany1 in the ACI name field. In the list of users
granted access permission, do the following:
a. Select and remove All Users, then click Add.
The Add Users and Groups dialog box opens.
b. Set the Search area to Users and Groups, and type DirectoryAdmin in the Search For
field.
194