1. Manuals
  2. Brands
  3. Netscape Manuals
  4. Server
  5. NETSCAPE DIRECTORY SERVER 6.0 - DEPLOYMENT
  6. Deployment manual

When To Deny Access; Where To Place Access Control Rules - Netscape DIRECTORY SERVER 6.0 - DEPLOYMENT Deployment Manual

Hide thumbs
Table of Contents

Advertisement

By providing only allow privileges you avoid the need to set an explicit deny
privilege.

When to Deny Access

You rarely need to set an explicit deny. However, you may find an explicit deny
useful in the following circumstances:
You have a large directory tree with a complicated ACL spread across it.
For security reasons, you find that you suddenly need to deny access to a
particular user, group, or physical location. Rather than spend the time to
carefully examine your existing ACL to understand how to appropriately
restrict the allow permissions, you may want to temporarily set the explicit
deny until you have time to do this analysis. If your ACL has become this
complicated, then in the long run the deny ACI only adds to your
administrative burden. As soon as possible, rework your ACL to avoid the
explicit deny and simplify your overall access control scheme.
You want to restrict access control based on a day of the week or an hour of the
day.
For example, you can deny all writing activities from Sunday at 11:00 p.m.
(2300) to Monday at 1:00 a.m. (0100). From an administrative point of view, it
may be easier to manage an ACI that explicitly restricts time-based access of
this kind than to search through the directory for all the allow for write ACIs
and restrict their scopes in this time frame.
You want to restrict privileges when you are delegating directory
administration authority to multiple people.
If you are allowing a person or group of people to manage some part of the
directory tree, but you want to make sure that they do not modify some aspect
of the tree, use an explicit deny. For example, if you want to make sure the Mail
Administrators do not allow write access to the common name attribute, then
set an ACI that explicitly denies write access to the common name attribute.

Where to Place Access Control Rules

Access control rules can be placed on any entry in the directory. Often
administrators place access control rules on entries of type
,
organization
organizationalUnit
To simplify your ACL administration, group your rules as much as possible. Since
a rule generally applies to its target entry and to all that entry's children, it is best to
place access control rules on root points in the directory or on directory branch
points, rather than scatter them across individual leaf (such as person) entries.
,
, or
inetOrgPerson
Chapter 7
Designing a Secure Directory
Designing Access Control
,
country
.
group
139

Advertisement

Table of Contents
loading

Related Manuals for Netscape NETSCAPE DIRECTORY SERVER 6.0 - DEPLOYMENT

Related Content for Netscape NETSCAPE DIRECTORY SERVER 6.0 - DEPLOYMENT

This manual is also suitable for:

Netscape directory server 6.0

Table of Contents