Creating Acis From The Console - Netscape DIRECTORY SERVER 6.2 - ADMINISTRATOR Administrator's Manual

Because Boolean expressions are evaluated from left to right, in the first case, bind
rule A is evaluated before bind rule B, and in the second case, bind rule B is
evaluated before bind rule A.
However, the Boolean
Thus, in the following example:
(bind_rule_A) AND NOT (bind_rule_B)
bind rule B is evaluated before bind rule A despite the left-to-right rule.

Creating ACIs From the Console

You can use the Directory Server Console to view, create, edit, and delete access
control instructions for your directory. This section provides general
instructions for:
• Displaying the Access Control Editor
• Viewing Current ACIs
• Creating a New ACI
• Editing an ACI
• Deleting an ACI
See "Access Control Usage Examples," on page 236 for a collection of access control
rules commonly used in Directory Server security policies, along with step-by-step
instructions for using the Directory Server Console to create them.
The Access Control Editor does not enable you to construct some of the more
complex ACIs when you are in Visual editing mode. In particular, from the Access
Control Editor you cannot:
• Deny access (see "Permissions Syntax," on page 212)
• Create value-based ACIs (see "Targeting Attribute Values Using LDAP
Filters," on page 207)
• Define parent access (see "Parent Access (parent Keyword)," on page 216)
• Create ACIs that contain Boolean bind rules (see "Using Boolean Bind Rules,"
on page 230)
• Generally, create ACIs that use the following keywords:
authmethod
is evaluated before the Boolean
NOT
Creating ACIs From the Console
and Boolean
OR
,
roledn userattr
Chapter 6 Managing Access Control
.
AND
,
231