1. Manuals
  2. Brands
  3. Netscape Manuals
  4. Server
  5. NETSCAPE DIRECTORY SERVER 7.0 - DEPLOYMENT
  6. Deployment manual

When To Deny Access - Netscape DIRECTORY SERVER 7.0 - DEPLOYMENT Deployment Manual

Hide thumbs
Table of Contents

Advertisement

Limit the scope of your allow access rules to include only the smallest possible
subset of users or client applications. For example, you can set permissions that
allow users to write to any attribute on their directory entry, but then deny all users
except members of the Directory Administrators group the privilege of writing to
the
attribute. Alternatively, you can write two access rules that allow write
uid
access in the following ways:
Create one rule that allows write privileges to every attribute except the
attribute. This rule should apply to everyone.
Create one rule that allows write privileges to the
should apply only to members of the Directory Administrators group.
By providing only allow privileges you avoid the need to set an explicit deny
privilege.

When to Deny Access

You rarely need to set an explicit deny. However, you may find an explicit deny
useful in the following circumstances:
You have a large directory tree with a complicated ACL spread across it.
For security reasons, you find that you suddenly need to deny access to a particular user,
group, or physical location. Rather than spend the time to carefully examine your existing
ACL to understand how to restrict appropriately the allow permissions, you may want to
temporarily set the explicit deny until you have time to do this analysis. If your ACL has
become this complicated, then, in the long run, the deny ACI only adds to your
administrative burden. As soon as possible, rework your ACL to avoid the explicit deny and
simplify your overall access control scheme.
You want to restrict access control based on a day of the week or an hour of the
day.
For example, you can deny all writing activities from Sunday at 11:00 p.m. (2300) to
Monday at 1:00 a.m. (0100). From an administrative point of view, it may be easier to
manage an ACI that explicitly restricts time-based access of this kind than to search
through the directory for all the allow-for-write ACIs and restrict their scopes in this
time frame.
You want to restrict privileges when you are delegating directory
administration authority to multiple people.
Designing Access Control
attribute. This rule
uid
Chapter 7
Designing a Secure Directory
uid
159

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the NETSCAPE DIRECTORY SERVER 7.0 - DEPLOYMENT and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Netscape NETSCAPE DIRECTORY SERVER 7.0 - DEPLOYMENT

Related Content for Netscape NETSCAPE DIRECTORY SERVER 7.0 - DEPLOYMENT

This manual is also suitable for:

Netscape directory server 7.0

Table of Contents