1. Manuals
  2. Brands
  3. Netscape Manuals
  4. Server
  5. NETSCAPE DIRECTORY SERVER 7.0 - DEPLOYMENT
  6. Deployment manual

Setting Permissions; The Precedence Rule; Allowing Or Denying Access - Netscape DIRECTORY SERVER 7.0 - DEPLOYMENT Deployment Manual

Hide thumbs
Table of Contents

Advertisement

Designing Access Control
Parent — If the bind DN is the immediate parent entry, then the bind rule is
true. This allows you to grant specific permissions that allow a directory
branch point to manage its immediate child entries.
Self — If the bind DN is the same as the entry requesting access, then the bind
rule is true. This way you can grant specific permission that allows
individuals to update their own entries.
All — The bind rule is true for anyone who has successfully bound to the
directory.
Anyone — The bind rule is true for everyone. This keyword is what allows or
denies anonymous access.

Setting Permissions

By default, all users are denied access rights of any kind. The exception to this is
the Directory Manager. For this reason, you must set some ACIs for your
directory if you want your users to be able to access your directory.
The following sections describe the access control mechanism provided by your
Directory Server. For information about how to set ACIs in your directory, see the
Netscape Directory Server Administrator's Guide.

The Precedence Rule

When a user attempts any kind of access to a directory entry, Directory Server
examines the access control set in the directory. To determine access, Directory
Server applies the Precedence Rule. The rule states that when two conflicting
permissions exist, the permission that denies access always takes precedence over
the permission that grants access.
For example, if you deny write permission at the directory's root level, and you
make that permission applicable to everyone accessing the directory, then no user
can write to the directory regardless of any other permissions that you may allow.
To allow a specific user write permissions to the directory, you have to restrict the
scope of the original deny-for-write so that it does not include that user. Then you
have to create an additional allow-for-write permission for the user in question.

Allowing or Denying Access

You can explicitly allow or deny access to your directory tree. Be careful of
explicitly denying access to the directory. Because of the precedence rule, if the
directory finds rules explicitly forbidding access, the directory will forbid access
regardless of any conflicting permissions that may grant access.
158
Netscape Directory Server Deployment Guide • October 2004

Advertisement

Table of Contents
loading

Related Manuals for Netscape NETSCAPE DIRECTORY SERVER 7.0 - DEPLOYMENT

Related Content for Netscape NETSCAPE DIRECTORY SERVER 7.0 - DEPLOYMENT

This manual is also suitable for:

Netscape directory server 7.0

Table of Contents