About The Aci Format - Netscape DIRECTORY SERVER 6.1 - DEPLOYMENT Deployment Manual

About the ACI Format

When designing your security policy, it is helpful to understand how ACIs are
represented in your directory. It is also helpful to understand what permissions
you can set in your directory. This section gives you a brief overview of the ACI
mechanism. For a complete description of the ACI format, see the Netscape
Directory Server Administrator's Guide.
Directory ACIs take the following general form:
target permission bind_rule
The ACI variables are defined below:
• target
Specifies the entry (usually a subtree) the ACI targets, the attribute it targets, or
both. The target identifies the directory element that the ACI applies to. An ACI
can target only one entry, but it can target multiple attributes. In addition, the
target can contain an LDAP search filter. This allows you to set permissions for
widely scattered entries that contain common attribute values.
• permission
Identifies the actual permission being set by this ACI. The permission says that
the ACI is allowing or denying a specific type of directory access, such as read
or search, to the specified target.
• bind_rule
Identifies the bind DN or network location to which the permission applies.
The bind rule may also specify an LDAP filter, and if that filter is evaluated to
be true for the binding client application, then the ACI applies to the client
application.
So, ACIs are expressed as follows:
"For the directory object target, allow or deny permission if the
bind_rule is true."
permission and bind_rule are set as a pair, and you can have multiple permission
bind_rule pairs for every target. This allows you to efficiently set multiple access
controls for any given target. For example:
target(permission bind_rule)(permission bind_rule)...
Designing Access Control
Chapter 7 Designing a Secure Directory 147