About The Aci Format - Netscape DIRECTORY SERVER 6.2 - DEPLOYMENT Deployment Manual

Using the ACL, you can set permissions for the following:
• The entire directory
• A particular subtree of the directory
• Specific entries in the directory
• A specific set of entry attributes
• Any entry that matches a given LDAP search filter
In addition, you can set permissions for a specific user, for all users belonging to a
specific group, or for all users of the directory. Lastly, you can define access for a
network location such as an IP address or a DNS name.

About the ACI Format

When designing your security policy, it is helpful to understand how ACIs are
represented in your directory. It is also helpful to understand what permissions
you can set in your directory. This section gives you a brief overview of the ACI
mechanism. For a complete description of the ACI format, see the Netscape
Directory Server Administrator's Guide.
Directory ACIs take the following general form:
target permission bind_rule
The ACI variables are defined below:
• target
Specifies the entry (usually a subtree) the ACI targets, the attribute it targets, or
both. The target identifies the directory element that the ACI applies to. An ACI
can target only one entry, but it can target multiple attributes. In addition, the
target can contain an LDAP search filter. This allows you to set permissions for
widely scattered entries that contain common attribute values.
• permission
Identifies the actual permission being set by this ACI. The permission says that
the ACI is allowing or denying a specific type of directory access, such as read
or search, to the specified target.
• bind_rule
Designing Access Control
Chapter 7 Designing a Secure Directory 155