Rights Required For Ldap Operations - Netscape DIRECTORY SERVER 6.02 - ADMINISTRATOR Administrator's Manual

Creating ACIs Manually
Rights are granted independently of one another. This means, for example, that a
user who is granted add rights can create an entry but cannot delete it if delete
rights have not been specifically granted. Therefore, when planning the access
control policy for your directory, you must ensure that you grant rights in a way
that makes sense for users. For example, it doesn't usually make sense to grant
write permission without granting read and search permissions.

Rights Required for LDAP Operations

This section describes the rights you need to grant to users depending on the type
of LDAP operation you want to authorize them to perform.
Adding an entry:
• Grant add permission on the entry being added.
• Grant write permission on the value of each attribute in the entry. This right is
granted by default but could be restricted using the
keyword.
Deleting an entry:
• Grant delete permission on the entry to be deleted.
• Grant write permission on the value of each attribute in the entry. This right is
granted by default but could be restricted using the
keyword.
Modifying an attribute in an entry:
• Grant write permission on the attribute type.
• Grant write permission on the value of each attribute type. This right is granted
by default but could be restricted using the
Modifying the RDN of an entry:
• Grant write permission on the entry.
• Grant write permission on the attribute type used in the new RDN.
• Grant write permission on the attribute type used in the old RDN, if you want
to grant the right to delete the old RDN.
• Grant write permission on the value of attribute type used in the new RDN.
This right is granted by default but could be restricted using the
targattrfilters
204 Netscape Directory Server Administrator's Guide • May 2002
keyword.
targattrfilters
targattrfilters
keyword.
targattrfilters