Permissions - Netscape DIRECTORY SERVER 6.01 - DEPLOYMENT Deployment Manual

Designing Access Control
For every ACI, you can target only one entry or only those entries that match a
single LDAP search filter.
In addition to targeting entries, you can also target attributes on the entry. This
allows you to set a permission that applies to only a subset of attribute values. You
can target sets of attributes by explicitly naming those attributes that are targeted,
or by explicitly naming the attributes that are not targeted by the ACI. Use the
latter case if you want to set a permission for all but a few attributes allowed by an
object class structure.

Permissions

You allow or deny permissions. In general, you should avoid denying permissions
for the reasons explained in "Allowing or Denying Access," on page 138.
You can allow or deny the following permissions:
• Read—Indicates whether directory data may be read.
• Write—Indicates whether directory data may be changed or created. This
permission also allows directory data to be deleted, but not the entry itself. To
delete an entire entry, the user must have delete permissions.
• Search—Indicates whether the directory data can be searched. This differs
from the Read permission in that Read allows directory data to be viewed if it
is returned as part of a search operation. For example, if you allow searching
for common names and read for a person's room number, then the room
number can be returned as part of the common name search, but the room
number cannot, itself, be searched for. This would prevent people from
searching your directory to see who it is that sits in a particular room.
• Compare—Indicates whether the data may be used in comparison operations.
Compare implies the ability to search, but actual directory information is not
returned because of the search. Instead, a simple Boolean value is returned that
indicates whether the compared values match. This is used to match
userPassword
• Selfwrite—Used only for group management. This permission allows someone
to add to or delete themselves from a group.
• Add—Indicates whether child entries can be created. This permission allows a
user to create child entries beneath the targeted entry.
• Delete—Indicates whether an entry can be deleted. This permission allows a
user to delete the targeted entry.
• Proxy—Indicates that the user can use any other DN, except Directory
Manager, to access the directory with the rights of this DN.
136 Netscape Directory Server Deployment Guide • January 2002
attribute values during directory authentication.