When To Deny Access - Netscape DIRECTORY SERVER 6.1 - DEPLOYMENT Deployment Manual

Hide thumbs Also See for NETSCAPE DIRECTORY SERVER 6.1 - DEPLOYMENT:

Configuration manual (314 pages)

Reference (162 pages)

Installation manual (128 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

page of 200

/ 200
Contents
Table of Contents
Bookmarks

Table of Contents

Limit the scope of your allow access rules to include only the smallest possible

subset of users or client applications. For example, you can set permissions that

allow users to write to any attribute on their directory entry, but then deny all users

except members of the Directory Administrators group the privilege of writing to

the

attribute. Alternatively, you can write two access rules that allow write

uid

access in the following ways:

•

Create one rule that allows write privileges to every attribute except the

attribute. This rule should apply to everyone.

•

Create one rule that allows write privileges to the

should apply only to members of the Directory Administrators group.

By providing only allow privileges you avoid the need to set an explicit deny

privilege.

When to Deny Access

You rarely need to set an explicit deny. However, you may find an explicit deny

useful in the following circumstances:

•

You have a large directory tree with a complicated ACL spread across it.

For security reasons, you find that you suddenly need to deny access to a

particular user, group, or physical location. Rather than spend the time to

carefully examine your existing ACL to understand how to appropriately

restrict the allow permissions, you may want to temporarily set the explicit

deny until you have time to do this analysis. If your ACL has become this

complicated, then in the long run the deny ACI only adds to your

administrative burden. As soon as possible, rework your ACL to avoid the

explicit deny and simplify your overall access control scheme.

•

You want to restrict access control based on a day of the week or an hour of the

day.

For example, you can deny all writing activities from Sunday at 11:00 p.m.

(2300) to Monday at 1:00 a.m. (0100). From an administrative point of view, it

may be easier to manage an ACI that explicitly restricts time-based access of

this kind than to search through the directory for all the allow for write ACIs

and restrict their scopes in this time frame.

•

You want to restrict privileges when you are delegating directory

administration authority to multiple people.

Designing Access Control

attribute. This rule

uid

Chapter 7

Designing a Secure Directory

uid

151

Table of Contents

When To Deny Access - Netscape DIRECTORY SERVER 6.1 - DEPLOYMENT Deployment Manual

When to Deny Access

Related Manuals for Netscape NETSCAPE DIRECTORY SERVER 6.1 - DEPLOYMENT

Related Content for Netscape NETSCAPE DIRECTORY SERVER 6.1 - DEPLOYMENT

Table of Contents