Setting Permissions; The Precedence Rule; Allowing Or Denying Access - Netscape DIRECTORY SERVER 6.02 - DEPLOYMENT Deployment Manual

Designing Access Control

Setting Permissions

By default all users are denied access rights of any kind. The exception to this is the
directory manager. For this reason, you must set some ACIs for your directory if
you want your users to be able to access your directory.
The following sections describe the access control mechanism provided by your
Directory Server. For information about how to set ACIs in your directory, see the
Netscape Directory Server Administrator's Guide.

The Precedence Rule

When a user attempts any kind of access to a directory entry, Directory Server
examines the access control set in the directory. To determine access, Directory
Server applies the Precedence Rule. The rule states that when two conflicting
permissions exist, the permission that denies access always takes precedence over
the permission that grants access.
For example, if you deny write permission at the directory's root level, and you
make that permission applicable to everyone accessing the directory, then no user
can write to the directory regardless of any other permissions that you may allow.
To allow a specific user write permissions to the directory, you have to restrict the
scope of the original deny-for-write so that it does not include that user. Then you
have to create an additional allow-for-write permission for the user in question.

Allowing or Denying Access

You can explicitly allow or deny access to your directory tree. Be careful of
explicitly denying access to the directory. Because of the precedence rule, if the
directory finds rules explicitly forbidding access, the directory will forbid access
regardless of any conflicting permissions that may grant access.
Limit the scope of your allow access rules to include only the smallest possible
subset of users or client applications. For example, you can set permissions that
allow users to write to any attribute on their directory entry, but then deny all users
except members of the Directory Administrators group the privilege of writing to
the
uid
access in the following ways:
• Create one rule that allows write privileges to every attribute except the
attribute. This rule should apply to everyone.
• Create one rule that allows write privileges to the
should apply only to members of the Directory Administrators group.
138 Netscape Directory Server Deployment Guide • May 2002
attribute. Alternatively, you can write two access rules that allow write
attribute. This rule
uid
uid