Netscape DIRECTORY SERVER 6.1 - ADMINISTRATOR Administrator's Manual page 208

Creating ACIs Manually
Delete. Indicates whether users can delete entries. This permission applies only to
the delete operation.
Search. Indicates whether users can search for the directory data. Users must have
Search and Read rights in order to view the data returned as part of a search result.
This permission applies only to the search operation.
Compare. Indicates whether the users can compare data they supply with data
stored in the directory. With compare rights, the directory returns a success or
failure message in response to an inquiry, but the user cannot see the value of the
entry or attribute. This permission applies only to the compare operation.
Selfwrite. Indicates whether users can add or delete their own DN from a group.
This right is used only for group management.
Proxy. Indicates whether the specified DN can access the target with the rights of
another entry. For an overview of proxy access, refer to the Netscape Directory
Server Deployment Guide.
All. Indicates that the specified DN has all rights (read, write, search, delete,
compare, and selfwrite) to the targeted entry, excluding proxy rights.
Rights are granted independently of one another. This means, for example, that a
user who is granted add rights can create an entry but cannot delete it if delete
rights have not been specifically granted. Therefore, when planning the access
control policy for your directory, you must ensure that you grant rights in a way
that makes sense for users. For example, it doesn't usually make sense to grant
write permission without granting read and search permissions.
NOTE
208 Netscape Directory Server Administrator's Guide • August 2002
The proxy mechanism is very powerful and must be used sparingly.
Proxy rights are granted within the scope of the ACL and there is no
way to restrict who an entry that has the proxy right can
impersonate—that is, when you grant a user proxy rights, that user
has the ability to proxy for any user under the target; there is no way
to restrict the proxy rights to only certain users. For example, if an
entity has proxy rights to the
can do anything. So, make sure you set the proxy ACI at the lowest
possible level of the DIT; see "Proxied Authorization ACI Example,"
on page 253.
For a general overview, see "Proxy Authentication" in Chapter 7,
"Designing a Secure Directory" of Netscape Directory Server
Deployment Guide.
dc=example,dc=com
tree, that entity