1. Manuals
  2. Brands
  3. Netscape Manuals
  4. Server
  5. NETSCAPE DIRECTORY SERVER 7.0 - DEPLOYMENT
  6. Deployment manual

Where To Place Access Control Rules; Using Filtered Access Control Rules - Netscape DIRECTORY SERVER 7.0 - DEPLOYMENT Deployment Manual

Hide thumbs
Table of Contents

Advertisement

Designing Access Control
If you are allowing a person or group of people to manage some part of the directory
tree, but you want to make sure that they do not modify some aspect of the tree, use an
explicit deny. For example, if you want to make sure the Mail Administrators do not
allow write access to the common name attribute, then set an ACI that explicitly
denies write access to the common name attribute.

Where to Place Access Control Rules

Access control rules can be placed on any entry in the directory. Often,
administrators place access control rules on entries of type
organization
To simplify your ACL administration, group your rules as much as possible. Since
a rule generally applies to its target entry and to all of that entry's children, it is
best to place access control rules on root points in the directory or on directory
branch points, rather than scatter them across individual leaf (such as person)
entries.

Using Filtered Access Control Rules

One of the more powerful features of the Directory Server ACI model is the ability
to use LDAP search filters to set access control. LDAP search filters allow you to
set access to any directory entry that matches a defined set of criteria.
For example, you could allow read access for any entry that contains an
organizationalUnit
Filtered access control rules let you use predefine levels of access. Suppose your
directory contains home address and telephone number information. Some
people want to publish this information, while others want to be "unlisted." You
can handle this situation by doing the following:
Create an attribute on every user's directory entry called
publishHomeContactInfo
Set an access control rule that grants read access to the
homePostalAddress
publishHomeContactInfo
LDAP search filter to express the target for this rule.
Allow your directory users to change the value of their own
publishHomeContactInfo
the directory user can decide whether this information is publicly available.
For more information about using LDAP search filters, and on using LDAP search
filters with ACIs, see the Netscape Directory Server Administrator's Guide.
160
Netscape Directory Server Deployment Guide • October 2004
,
organizationalUnit
attribute that is set to Marketing.
.
attributes only for entries whose
attribute is set to TRUE (meaning enabled). Use an
attribute to either TRUE or FALSE. In this way,
,
, or
inetOrgPerson
,
country
.
group
and
homePhone

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the NETSCAPE DIRECTORY SERVER 7.0 - DEPLOYMENT and is the answer not in the manual?

Questions and answers

Related Manuals for Netscape NETSCAPE DIRECTORY SERVER 7.0 - DEPLOYMENT

Related Content for Netscape NETSCAPE DIRECTORY SERVER 7.0 - DEPLOYMENT

This manual is also suitable for:

Netscape directory server 7.0

Table of Contents