Designing Access Control; About The Aci Format - Netscape DIRECTORY SERVER 6.01 - DEPLOYMENT Deployment Manual

Designing Access Control

Designing Access Control
Once you decide on one or more authentication schemes to establish the identity of
directory clients, you need to decide how to use the schemes to protect information
contained in your directory. Access control allows you to specify that certain
clients have access to particular information, while other clients do not.
You specify access control using one or more access control list (ACL). Your
directory's ACLs consist of a series of one or more access control information (ACI)
statements that either allow or deny permissions (such as read, write, search) and
compare to specified entries and their attributes.
Using the ACL, you can set permissions for the following:
• The entire directory
• A particular subtree of the directory
• Specific entries in the directory
• A specific set of entry attributes
• Any entry that matches a given LDAP search filter
In addition, you can set permissions for a specific user, for all users belonging to a
specific group, or for all users of the directory. Lastly, you can define access for a
network location such as an IP address or a DNS name.

About the ACI Format

When designing your security policy, it is helpful to understand how ACIs are
represented in your directory. It is also helpful to understand what permissions
you can set in your directory. This section gives you a brief overview of the ACI
mechanism. For a complete description of the ACI format, see the Netscape
Directory Server Administrator's Guide.
Directory ACIs take the following general form:
target permission bind_rule
134 Netscape Directory Server Deployment Guide • January 2002