Figure 6-1 Using Inheritance With The Userattr Keyword; Granting Add Permission Using The Userattr Keyword - Netscape DIRECTORY SERVER 6.01 - ADMINISTRATOR Administrator's Manual

Example With userattr Inheritance
The example in the following figure indicates that user
and search the
includes
and news IDs.
Figure 6-1 Using Inheritance With the userattr Keyword
In this example, if you did not use inheritance you would have to do one of the
following to achieve the same result:
• Explicitly set read and search access for user
cn=mail
• Add the owner attribute with a value of
entries and then add the following ACI to the
aci: (targetattr="*") (version 3.0; acl "profiles access"; allow
(read,search) userattr="owner#USERDN";)

Granting Add Permission Using the userattr Keyword

If you use the
might find that the behavior of the server is not what you expect. Typically, when a
new entry is created in the directory, Directory Server evaluates access rights on
the entry being created, and not on the parent entry. However, in the case of ACIs
using the
server's normal behavior is modified to avoid it.
Consider the following example:
entry as well as the first level of child entries which
cn=Profiles
and
cn=mail cn=news
, and entries in the directory.
cn=news
keyword in conjunction with
userattr
keyword, this behavior could create a security hole, and the
userattr
, thus allowing her to search through her own mail
bjensen
bjensen
cn=mail
Chapter 6
is allowed to read
bjensen
on the
cn=Profiles
to the and
cn=mail cn=news
and entries.
cn=news
or permissions, you
all add
Managing Access Control
Bind Rules
,
215