Targets; Permissions - Netscape DIRECTORY SERVER 6.1 - DEPLOYMENT Deployment Manual

Hide thumbs Also See for NETSCAPE DIRECTORY SERVER 6.1 - DEPLOYMENT:

Configuration manual (314 pages)

Reference (162 pages)

Installation manual (128 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

page of 200

/ 200
Contents
Table of Contents
Bookmarks

Table of Contents

Designing Access Control

For example, you can set a permission that allows anyone binding as Babs Jensen to

write to Babs Jensen's telephone number. The bind rule in this permission is the

part that states "if you bind as Babs Jensen." The target is Babs Jensen's phone

number, and the permission is write access.

Targets

You must decide what entry is targeted by every ACI you create in your directory.

If you target a directory entry that is a directory branch point, then that branch

point, as well as all of its child entries, are included in the scope of the permission.

If you do not explicitly specify a target entry for the ACI, then the ACI is targeted

to the directory entry that contains the ACI statement. Also, the default set of

attributes targeted by the ACI is any attribute available in the targeted entry's

object class structure.

For every ACI, you can target only one entry or only those entries that match a

single LDAP search filter.

In addition to targeting entries, you can also target attributes on the entry. This

allows you to set a permission that applies to only a subset of attribute values. You

can target sets of attributes by explicitly naming those attributes that are targeted,

or by explicitly naming the attributes that are not targeted by the ACI. Use the

latter case if you want to set a permission for all but a few attributes allowed by an

object class structure.

Permissions

You allow or deny permissions. In general, you should avoid denying permissions

for the reasons explained in "Allowing or Denying Access," on page 150.

You can allow or deny the following permissions:

•

Read—Indicates whether directory data may be read.

•

Write—Indicates whether directory data may be changed or created. This

permission also allows directory data to be deleted, but not the entry itself. To

delete an entire entry, the user must have delete permissions.

•

Search—Indicates whether the directory data can be searched. This differs

from the Read permission in that Read allows directory data to be viewed if it

is returned as part of a search operation. For example, if you allow searching

for common names and read for a person's room number, then the room

number can be returned as part of the common name search, but the room

number cannot, itself, be searched for. This would prevent people from

searching your directory to see who it is that sits in a particular room.

148

Netscape Directory Server Deployment Guide • August 2002

Table of Contents

Targets; Permissions - Netscape DIRECTORY SERVER 6.1 - DEPLOYMENT Deployment Manual

Targets

Permissions

Related Manuals for Netscape NETSCAPE DIRECTORY SERVER 6.1 - DEPLOYMENT

Related Content for Netscape NETSCAPE DIRECTORY SERVER 6.1 - DEPLOYMENT

Table of Contents