Directory Server, Version 6.1

---

 

Access control lists

The following sections describe access control lists (ACLs) and how to manage them.

 

Overview

Access control lists (ACLs) provide a means to protect information stored in a LDAP directory. Administrators use ACLs to restrict access to different portions of the directory, or specific directory entries. LDAP directory entries are related to each other by a hierarchical tree structure. Each directory entry (or object) contains the distinguished name of the object as well as a set of attributes and their corresponding values.

The access control model defines two sets of attributes:

• The entryOwner information

• The Access Control Information (ACI)

In conformance with the LDAP model, the ACI information and the entryOwner information is represented as attribute-value pairs. The LDIF syntax can be used to administer these values.

 

EntryOwner information

The entryOwner information controls which subjects can define the ACIs. An entry Owner also acquires full access rights to the target object. The attributes that define entry ownership are:

• entryOwner - Explicitly defines an entry owner.

• ownerPropagate - Specifies whether the permission set is propagated to the subtree descendant entries.

The entry owners have complete permissions to perform any operation on the object regardless of the aclEntry. Additionally, the entry owners are the only ones who are permitted to administer the aclEntries for that object. EntryOwner is an access control subject, it can be defined as individuals, groups or roles.

Note:

The directory administrator and local administration group members who are assigned the DirDataAdmin role are the entryOwners for all objects in the directory by default, and this entryOwnership cannot be removed from any object.

 

Access control information

The ACI specifically defines a subject's permission to perform a given operation against certain LDAP objects.

 

Non-filtered ACLs

This type of ACL applies explicitly to the directory entry that contains them, but may be propagated to none or all of its descendant entries. The default behavior of the non-filtered ACL is to propagate. The attributes that define non-filtered ACLs are:

• aclEntry - Defines a permission set.

• aclPropagate - Specifies whether the permission set is propagated to the subtree descendant entries.

 

Filtered ACLs

Filter-based ACLs differ in that they employ a filter-based comparison, using a specified object filter, to match target objects with the effective access that applies to them.

Although they perform the same function, the behavior of the two types of ACLs is significantly different. Filter-based ACLs do not propagate in the same way that non-filter-based ACLs currently do. By nature, they inherently propagate to any comparison matched objects in the associated subtree. For this reason, the aclPropagate attribute, which is used to stop propagation of non-filter ACLs, does not apply to the new filter-based ACLs.

The default behavior of filter-based ACLs to accumulate from the lowest containing entry, upward along the ancestor entry chain, to the highest containing entry in the DIT. The effective access is calculated as the union of the access rights granted, or denied, by the constituent ancestor entries. There is an exception to this behavior. For compatibility with the subtree replication feature, and to allow greater administrative control, a ceiling attribute is used as a means to stop accumulation at the entry in which it is contained.

A separate set of access control attributes are used specifically for filter-based ACL support, rather than merging filter-based characteristics into the existing non-filter based ACLs. The attributes are:

• ibm-filterAclEntry

• ibm-filterAclInherit

The ibm-filterAclEntry attribute has the same format as aclEntry, with the addition of an object filter component. The associated ceiling attribute is ibm-filterAclInherit. By default it is set to true. When set to false, it terminates the accumulation.

 

The access control attribute syntax

Each of these attributes can be managed using LDIF notation. The syntax for the new filter-based ACL attributes are modified versions of the current non-filter-based ACL attributes. The following defines the syntax for the ACI and entryOwner attributes using baccus naur form (BNF).

 <aclEntry> ::=  <subject> [ ":"  <rights> ] 

 <aclPropagate> ::=  "true" | "false" 

 <ibm-filterAclEntry> ::=  <subject>  ":" <object filter>  [ ":"  <rights> ] 

 <ibm-filterAclInherit> ::=  "true" | "false"

 <entryOwner> ::=  <subject> 

 <ownerPropagate> ::= "true" | "false" 

 <subject> ::= <subjectDnType> ':' <subjectDn> | 
                        <pseudoDn> 

 <subjectDnType> ::= "role" | "group" | "access-id" 

 <subjectDn> ::= <DN> 

 <DN> ::= distinguished name as described in RFC 2251, section 4.1.3. 

 <pseudoDn> ::= "group:cn=anybody" | "group:cn=authenticated" | 
                         "access-id:cn=this" 

 <object filter> ::= string search filter as defined in RFC 2254, section 4
  	           	         (extensible matching is not supported).

 <rights> ::= <accessList> [":" <rights> ] 

 <accessList> ::=  <objectAccess> | <attributeAccess> | 
                            <attributeClassAccess> 

 <objectAccess> ::= "object:" [<action> ":"]  <objectPermissions> 

 <action> ::= "grant" | "deny" 

 <objectPermisssions> ::=  <objectPermission> [ <objectPermissions> ] 

 <objectPermission> ::= "a" | "d" |  "" 

 <attributeAccess> ::= "at." <attributeName> ":" [<action> ":"]  
                                <attributePermissions> 

 <attributeName> ::= attributeType name as described in RFC 2251, section 4.1.4. 
                        (OID or alpha-numeric string with leading 
                         alphabet, "-" and ";" allowed) 

 <attributePermissions> ::=  <attributePermission> 
                                   [<attributePermissions>] 

 <attributePermission> ::=  "r" | "w" | "s" | "c" |  "" 

 <attributeClassAccess> ::= <class> ":" [<action> ":"] 
                                     <attributePermissions> 

 <class> ::= "normal" | "sensitive" | "critical" | "system" | "restricted" 
  

 

Subject

A subject (the entity requesting access to operate on an object) consists of the combination of a DN (Distinguished Name) type and a DN. The valid DN types are: access Id, Group and Role.

The DN identifies a particular access-id, role or group. For example, a subject might be "access-id: cn=personA, o=IBM or group: cn=deptXYZ, o=IBM".

Because the field delimiter is the colon ( : ), a DN containing colons must be surrounded by double-quotation marks ( "" ). If a DN already contains characters with double-quotation marks, these characters must be escaped with a backslash (\).

All directory groups can be used in access control.

Note:

Any group of AccessGroup, GroupOfNames, GroupofUniqueNames, or groupOfURLs structural objectclasses or the ibm-dynamicGroup, ibm-staticGroup auxiliary objectclasses can be used for access control.

Another DN type used within the access control model is role. While roles and groups are similar in implementation, conceptually they are different. When a user is assigned to a role, there is an implicit expectation that the necessary authority has already been set up to perform the job associated with that role. With group membership, there is no built in assumption about what permissions are gained (or denied) by being a member of that group.

Roles are similar to groups in that they are represented in the directory by an object. Additionally, roles contain a group of DNs. Roles that are used in access control must have an objectclass of AccessRole.

 

Pseudo DNs

Pseudo DNs are used in access control definition and evaluation. The directory contains several pseudo DNs (for example, "group:cn=Anybody" and "access-id:cn=this"), which are used to refer to large numbers of DNs that share a common characteristic, in relation to either the operation being performed or the object on which the operation is being performed.

Three pseudo DNs are supported by LDAP version 3:

access-id: cn=this

When specified as part of an ACL, this DN refers to the bindDN, which matches the DN on which the operation is performed. For example, if an operation is performed on the object "cn=personA, ou=IBM, c=US" and the bindDn is "cn=personA, ou=IBM, c=US", the permissions granted are a combination of those given to "cn=this" and those given to "cn=personA, ou=IBM, c=US".

group: cn=anybody

When specified as part of an ACL, this DN refers to all users, even those that are unauthenticated. Users cannot be removed from this group, and this group cannot be removed from the database.

group: cn=Authenticated

This DN refers to any DN that has been authenticated by the directory. The method of authentication is not considered.

Note:

"cn=Authenticated" refers to a DN that has been authenticated anywhere on the server, regardless of where the object representing the DN is located. It should be used with caution, however. For example, under one suffix, "cn=Secret" could be a node called "cn=Confidential Material" which has an aclentry of "group:cn=Authenticated:normal:rsc". Under another suffix, "cn=Common" could be the node "cn=Public Material". If these two trees are located on the same server, a bind to "cn=Public Material" would be considered authenticated, and would get permission to the normal class on the "cn= Confidential Material" object.

 

Examples of pseudo DNs

Some examples of pseudo DNs:

Example 1

Consider the following ACL for object: cn=personA, c=US AclEntry:

access-id: cn = this:critical:rwsc  
AclEntry: group: cn=Anybody: normal:rsc  
AclEntry: group: cn=Authenticated: sensitive:rcs

User Binding as	Would receive
cn=personA, c=US	normal:rsc:sensitive:rcs:critical:rwsc
cn=personB, c=US	normal:rsc:sensitive:rsc
NULL (unauth.)	normal:rsc

In this example, personA receives permissions granted to the "cn=this" ID, and permissions given to both the "cn=Anybody" and "cn=Authenticated" pseudo DN groups.

Example 2

Consider the following ACL for object: cn=personA, c=US AclEntry:

access-id:cn=personA, c=US: object:ad
AclEntry: access-id: cn = this:critical:rwsc  
AclEntry: group: cn=Anybody: normal:rsc  
AclEntry: group: cn=Authenticated: sensitive:rcs

For an operation performed on cn=personA, c=US:

User Binding as	Would receive
cn=personA, c=US	object:ad:critical:rwsc
cn=personB, c=US	normal:rsc:sensitive:rsc
NULL (unauth.)	normal:rsc

In this example, personA receives permissions granted to the "cn=this" ID, and those given to the DN itself "cn=personA, c=US". Note that the group permissions are not given because there is a more specific aclentry ("access-id:cn=personA, c=US") for the bind DN ("cn=personA, c=US").

Example 3

Consider the following ACL for object: cn=personA, c=US AclEntry, where you want to give that user the ability to change his or her own password:

access-id:cn=this:at.userpassword:rwsc

User Binding as	Would receive
cn=personA, c=US	at.userpassword:rwsc

 

Object filter

This parameter applies to filtered ACLs only. The string search filter as defined in RFC 2254, is used as the object filter format. Because the target object is already known, the string is not used to perform an actual search. Instead, a filter-based compare on the target object in question is performed to determine if a given set of ibm-filterAclEntry values apply to it.

 

Rights

Access rights can apply to an entire object or to attributes of the object. The LDAP access rights are discreet. One right does not imply another right. The rights may be combined together to provide the desired rights list following a set of rules discussed later. Rights can be of an unspecified value, which indicates that no access rights are granted to the subject on the target object. The rights consist of three parts:

Action:

Defined values are grant or deny. If this field is not present, the default is set to grant.

Permission:

There are six basic operations that may be performed on a directory object. From these operations, the base set of ACI permissions are taken. These are: add an entry, delete an entry, read an attribute value, write an attribute value, search for an attribute, and compare an attribute value.

The possible attribute permissions are: read ( r ), write ( w ), search ( s ), and compare ( c ). Additionally, object permissions apply to the entry as a whole. These permissions are add child entries ( a ) and delete this entry ( d ).

The following table summarizes the permissions needed to perform each of the LDAP operations.

Operation	Permission Needed
idsldapadd	add (on parent)
idsldapdelete	delete (on object)
idsldapmodify	write (on attributes being modified)
idsldapsearch	search, read (on attributes in RDN) search (on attributes specified in the search filter) search (on attributes returned with just names) search, read (on attributes returned with values)
idsldapmodrdn	write (on RDN attributes)

For search operations, the subject is required to have search (s) access to all the attributes in the search filter or no entries are returned. For returned entries from a search, the subject is required to have search (s) and read (r) access to all the attributes in the RDN of the returned entries or these entries are not returned.

In the following example, the at.telephoneNumber:rsc permission set grants members of the cn=Bowling Team, ou=Groups, o=sample read only access to only the telephoneNumber attribute contained in this entry. The at.cn:rsc permission set ensures that the RDN search criteria is met. For this example the only the cn or telephoneNumber attributes can be used in a search filter. If the title attribute was to be used in a search filter then an additional at.title:rsc permission set would have to be added for the search to be successful.

dn: cn=Bonnie Daniel, ou=Widget Division, ou=Austin, o=sample
objectclass: person
objectclass: organizationalPerson
cn: Bonnie Daniel
sn: Daniel
telephonenumber: 1-812-855-7453
internationaliSDNNumber: 755-7453
title: RISC Manufacturing
seealso: cn=Mary Burnnet, ou=Widget Division, ou=Austin, o=sample
postalcode: 1515
aclentry: group: cn=Bowling Team, ou=Groups, o=sample: at.cn:rsc: 
at.telephoneNumber:r

Access Target:

These permissions can be applied to the entire object (add child entry, delete entry), to an individual attribute within the entry, or can be applied to groups of attributes (Attribute Access Classes) as described in the following.

Attributes requiring similar permissions for access are grouped together in classes. Attributes are mapped to their attribute classes in the directory schema file. These classes are discrete; access to one class does not imply access to another class. Permissions are set with regard to the attribute access class as a whole. The permissions set on a particular attribute class apply to all attributes within that access class unless individual attribute access permissions are specified.

IBM® defines five attribute classes that are used in evaluation of access to user attributes: normal, sensitive, critical, system, and restricted. As examples, the attribute commonName belongs to the normal class, and the attribute userPassword belongs to the critical class. User defined attributes belong to the normal access class unless otherwise specified.

The system class attributes that apply to access control are:

• aclSource

• ibm-effectiveAcl

• ownerSource

These are attributes maintained by the LDAP server and are read-only to the directory users and administrators. OwnerSource and aclSource are described in the Propagation section.

The restricted class attributes that define access control are:

• aclEntry

• aclPropagate

• entryOwner

• ibm-filterAclEntry

• ibm-filterAclInherit

• ownerPropagate

By default all users have read access to the restricted attributes but only entryOwners can create, modify, and delete these attributes.

 

Propagation

Entries on which an aclEntry has been placed are considered to have an explicit aclEntry. Similarly, if the entryOwner has been set on a particular entry, that entry has an explicit owner. The two are not intertwined, an entry with an explicit owner may or may not have an explicit aclEntry, and an entry with an explicit aclEntry might have an explicit owner. If either of these values is not explicitly present on an entry, the missing value is inherited from an ancestor node in the directory tree.

Each explicit aclEntry or entryOwner applies to the entry on which it is set. Additionally, the value might apply to all descendants that do not have an explicitly set value. These values are considered propagated; their values propagate through the directory tree. Propagation of a particular value continues until another propagating value is reached.

Note:

Filter-based ACLs do not propagate in the same way that non-filter-based ACLs do. They propagate to any comparison matched objects in the associated subtree. See Filtered ACLs for more information on the differences.

AclEntry and entryOwner can be set to apply to just a particular entry with the propagation value set to "false", or an entry and its subtree with the propagation value set to "true". Although both aclEntry and entryOwner can propagate, their propagation is not linked in anyway.

The aclEntry and entryOwner attributes allow multiple values within the same entry, however, the propagation attributes, aclPropagate and ownerPropagate, can only have a single value within the same entry.

The system attributes aclSource and ownerSource contain the DN of the effective node from which the aclEntry or entryOwner are evaluated, respectively. If no such node exists, the value default is assigned.

An object's effective access control definitions can be derived by the following logic:

• If there is a set of explicit access control attributes at the object, then that is the object's access control definition.

• If there is no explicitly defined access control attributes, then traverse the directory tree upwards until an ancestor node is reached with a set of propagating access control attributes.

• If no such ancestor node is found, the default access described in Access evaluation is granted to the subject.

 

Access evaluation

Access for a particular operation is granted or denied based on the subject's bind DN for that operation on the target object. Processing stops as soon as access can be determined.

The checks for access are done by first finding the effective entryOwnership and ACI definition, checking for entry ownership, and then by evaluating the object's ACI values.

Filter-based ACLs accumulate from the lowest containing entry, upward along the ancestor entry chain, to the highest containing entry in the DIT. The effective access is calculated as the union of the access rights granted, or denied, by the constituent ancestor entries. The existing set of specificity and combinatory rules are used to evaluate effective access for filter based ACLs.

Filter-based and non-filter-based attributes are mutually exclusive within a single containing directory entry. Placing both types of attributes into the same entry is not allowed, and is a constraint violation. Operations associated with the creation of, or updates to, a directory entry fail if this condition is detected.

When calculating effective access, the first ACL type to be detected in the ancestor chain of the target object entry sets the mode of calculation. In filter-based mode, non-filter-based ACLs are ignored in effective access calculation. Likewise, in non-filter-based mode, filter-based ACLs are ignored in effective access calculation.

To limit the accumulation of filter-based ACLs in the calculation of effective access, an ibm-filterAclInherit attribute set to a value of "false" may be placed in any entry between the highest and lowest occurrence of ibm-filterAclEntry in a given subtree. This causes the subset of ibm-filterAclEntry attributes above it in the target object's ancestor chain to be ignored.

To exclude the accumulation of filter-based ACLs in the calculation of effective access, an ibm-filterAclInherit attribute set to a value of "false" may be placed in any entry below the lowest occurrence of ibm-filterAclEntry in a given subtree. This causes all ibm-filterAclEntry attributes above it in the target object's ancestor chain to be ignored. The resulting access resolves to the default filter ACL value.

By default, the directory administrator, local administrative group members who are assigned the DirDataAdmin role, and the master server (or peer server for replication) get full access rights to all objects in the directory except write access to system attributes. Other entryOwners get full access rights to the objects under their ownership except write access to system attributes. By default all users have read access rights to normal, system, and restricted attributes. If the requesting subject has entryOwnership, access is determined by the above default settings and access processing stops.

Note:

If explicit ACLs are set on an entry, but no explicit ACLs are set for system attributes, then the requester is automatically granted rsc (read, search, and compare) permissions. To deny access, deny it explicitly. Access is not denied by default.

If the requesting subject is not an entryOwner, then the ACI values for the object entries are checked. The access rights as defined in the ACIs for the target object are calculated by the specificity and combinatory rules.

Specificity rule

The most specific aclEntry definitions are the ones used in the evaluation of permissions granted/denied to a user. The levels of specificity are:

• Access-id is more specific than group or role. Groups and roles are on the same level.

• Within the same dnType level, individual attribute level permissions are more specific than attribute class level permissions.

• Within the same attribute or attribute class level, deny is more specific than grant.

Combinatory rule

Permissions granted to subjects of equal specificity are combined. If the access cannot be determined within the same specificity level, the access definitions of lesser specific level are used. If the access is not determined after all defined ACIs are applied, the access is denied.

Note:

After a matching access-id level aclEntry is found in access evaluation, the group level aclEntries are not included in access calculation. The exception is that if the matching access-id level aclEntries are all defined under cn=this, then all matching group level aclEntries are also combined in the evaluation.

In other words, within the object entry, if a defined ACI entry contains an access-id subject DN that matches the bind DN, then the permissions are first evaluated based on that aclEntry. Under the same subject DN, if matching attribute level permissions are defined, they supersede any permissions defined under the attribute classes. Under the same attribute or attribute class level definition, if conflicting permissions are present, denied permissions override granted permissions.

Note:

A defined null value permission prevents the inclusion of less specific permission definitions.

If access still can not be determined and all found matching aclEntries are defined under "cn=this", then group membership is evaluated. If a user belongs to more than one groups, the user receives the combined permissions from these groups. Additionally, the user automatically belongs to the cn=Anybody group and possibly the cn=Authenticated group if the user did an authenticated bind. If permissions are defined for those groups, the user receives the specified permissions.

Note:

Group and Role membership is determined at bind time and last until either another bind takes place, or until an unbind request is received. Nested groups and roles, that is a group or role defined as a member of another group or role, are not resolved in membership determination nor in access evaluation.

For example, assume attribute1 is in the sensitive attribute class, and user cn=Person A, o=IBM belongs to both group1 and group2 with the following aclEntries defined:

1. aclEntry: access-id: cn=Person A, o=IBM: at.attributel:grant:rsc:sensitive:deny:rsc

2. aclEntry: group: cn=group1,o=IBM:critical:deny:rwsc

3. aclEntry: group: cn=group2,o=IBM:critical:grant:r:normal:grant:rsc

This user gets:

• Access of 'rsc' to attribute1, (from 1. Attribute level definition supersedes attribute class level definition).

• No access to other sensitive class attributes in the target object, (from 1).

• No other rights are granted (2 and 3 are NOT included in access evaluation).

For another example, with the following aclEntries:

1. aclEntry: access-id: cn=this: sensitive

2. aclEntry: group: cn=group1,o=IBM:sensitive:grant:rsc:normal:grant:rsc

The user has:

• no access to sensitive class attributes, (from 1. Null value defined under access-id prevents the inclusion of permissions to sensitive class attributes from group1).

• and access of 'rsc' to normal class attributes (from 2).

 

Working with ACLs

The following sections describe various task that we can perform to manage ACLs.

 

Using the Web Administration Tool utility to manage ACLs

To view ACL properties using the Web Administration Tool utility and to work with ACLs.

1. Click Directory management.

2. Click Manage entries.

3. Select a directory entry. For example, ou=Widget Division,ou=Austin,o=sample.

4. Expand the Select Action drop-down menu.

5. Select Edit ACL.

6. Click Go.
   Note:

   The Edit ACL panel is displayed with the Effective ACLs tab preselected. This panel has five tabs:

   • Effective ACLs

   • Effective owners

   • Non-filtered ACLs

   • Filtered ACLs

   • Owners

The Effective ACLs and Effective owners tabs contain read-only information about the ACLs.

 

Effective ACLs

Effective Access Control Lists (ACLs) are the explicit and inherited ACLs of the selected entry. To view the effective ACLs for the selected entry, click the Load button at the top of the table. The Effective ACLs table contains read-only information in the following columns:

• Select - Select the radio button next to the name of an ACL you want to view.

• Subject DN - The distinguished name of the entry to which access is being granted or denied.

• Subject type - The type of ACL. There are three subject types:

  • access-id - Associates access with a user.

  • group - Associates access with users who are members of the selected group.

  • role - Associates access with users that have been assigned the selected role.

Click Load to load the ACLs. After you have loaded the ACLs, we can refresh the table at any time by clicking Refresh. The timestamp below the table records when the table was last refreshed.

Viewing access rights

We can view the access rights for a specific effective ACL by selecting it and clicking View. The View access rights panel opens.

• The Subject DN section displays the distinguished name of the entry that you are viewing.

• The Subject type section displays the type of ACL that the entry is associated with.

• The Rights section displays the addition and deletion rights of the subject.

  • Add child grants or denies the subject the right to add a directory entry beneath the selected entry.

  • Delete entry grants or denies the subject the right to delete the selected entry.

• The Security class access rights section defines permissions for security classes. Attributes are grouped into security classes:

  • Normal - Normal attributes require the least security, for example, the attribute commonName.

  • Sensitive - Sensitive attributes require a moderate amount of security, for example homePhone.

  • Critical - Critical attributes require the most security, for example, the attribute userpassword.

  • System - System attributes are read only attributes that are maintained by the server.

  • Restricted - Restricted attributes are used to define acess control.
  We can view the attribute to determine its security class. See Viewing attributes if we need information about how to do this.
  Note:

  The system and restricted security class options are displayed only if your server supports system and restricted ACLs. The system security class cannot be set to writable.

• The Attribute access rights section lists attributes that have had their permissions individually set, instead of using those set for security class to which the attribute belongs.

  • Read - The subject can read attributes.

  • Write - The subject can modify the attributes.
    Note:

    System class is not writable.

  • Search - The subject can search attributes.

  • Compare - The subject can compare attributes.

• Click Close to return to the Effective ACL panel.

 

Effective owners

Effective owners are the explicit and inherited owners of the selected entry. The Effective owner table contains read-only information about Subject DN and the Subject type of the effective owners.

 

Non-filtered ACLs

We can add new non-filtered ACLs to an entry, or edit existing non-filtered ACLs.

Non-filtered ACLs can be propagated. This means that access control information defined for one entry can be applied to all of its subordinate entries. The ACL source is the source of current ACL for the selected entry. If the entry does not have an ACL, it inherits an ACL from parent objects based on the ACL settings of the parent objects.

If no ACL applies to a directory object either directly or through inheritance, the following default access is applied: aclentry:group:CN=ANYBODY:normal:rsc:system:rsc:restricted:rsc.

Adding or editing non-flitered ACLs

1. Select the Non-filtered ACLs tab.
   Note:

   If no non-filtered ACLs exist for the entry, the Propagate ACLs check box is preselected and cannot be modified.

2. Select the Propagate check box to allow descendants without an explicitly defined ACL to inherit from this entry. If the check box is selected, the descendent inherits ACLs from this entry and if the ACL is explicitly defined for the child entry, then the ACL which was inherited from parent is replaced with the new ACL that was added. If the check box is not selected, descendant entries without an explicitly defined ACL will inherit ACLs from a parent of this entry that has this option enabled.

3. Click Add to create new access rights for the entry or select an existing Subject DN and click Edit to modify existing ACLs.

   • Specify Subject DN - Type the DN of the entity requesting access to perform operations on the selected entry, for example, cn=Ricardo Garcia,ou=austin,o=sample. We cannot modify this field if you are editing the ACL.

   • Specify the Subject type - Select the type of ACL. For example, select access-id if the DN is a user. We cannot modify this field if you are editing the ACL.

   • From the Add child menu, select whether to grant or deny the subject the right to add a directory entry beneath the selected entry. In this example, if you select grant, Ricardo Garcia is able to add child entries under ou=Widget Division.

   • From the Delete entry menu, select whether to grant or deny the subject the right to delete the selected entry. In this example, it grants or denies cn=Ricardo Garcia the ability to delete ou=Widget Division and any of its child entries.

   • Set the permissions for the Security class access rights for each of the security classes. We can grant the permissions individually or click Grant all or Deny all to grant or deny permissions globally. Ricardo Garcia is given the permissions you set here to all of the attributes of each security class. See Viewing access rights for more information.
     Note:

     If you select Grant all, it gives Ricardo Garcia access to the restricted attributes including the ACLs themselves. This means that Ricardo Garcia can grant himself additional permissions on the entry. For example, if the administrator denied Delete entry permission to Ricardo Garcia on the entry ou=Widget Division,ou=austin,o=sample, Ricardo Garcia could not delete the entry or any of its child entries. If the administrator also clicked Grant All for the security class permissions, Ricardo Garcia is able to change the ACL and can give himself permission to delete the child entries of ou=Widget Division,ou=austin,o=sample and the parent entry itself. If you do select Grant All when creating ACLs, you might want to explicitly deny write permission to the restricted class for security purposes.

   • Additionally, you may specify permissions based on the attribute instead of the security class to which the attribute belongs.

     • Select an attribute from the Define an attribute drop-down list.

     • Click Define. The attribute is displayed with a permissions table.

     • Specify whether to grant or deny each of the four security class permissions associated with the attribute or click Grant all or Deny all to grant or deny permissions globally .

     • We can repeat this procedure for multiple attributes.

     • To remove an attribute, simply select the attribute and click Delete.

     • When you are finished click OK to return to the Edit ACL Panel.

   • Click OK to save your changes and exit.

Removing ACLs non-flitered ACLs

To remove non-flitered ACLs:

• Select the Non-filtered ACLs tab

• Select the radio button next to the ACL you want to delete.

• Click Remove or click Remove all to delete all Subject DNs from the list.

• Click OK to save your changes.

 

Filtered ACLs

We can add new filtered ACLs to an entry, or edit existing filtered ACLs.

Filter-based ACLs employ a filter-based comparison, using a specified object filter, to match target objects with the effective access that applies to them.

The default behavior of filter-based ACLs to accumulate from the lowest containing entry, upward along the ancestor entry chain, to the highest containing entry in the DIT. The effective access is calculated as the union of the access rights granted, or denied, by the constituent ancestor entries. There is an exception to this behavior. For compatibility with the subtree replication feature, and to allow greater administrative control, a ceiling attribute is used as a means to stop accumulation at the entry in which it is contained.

If no ACL applies to a directory object either directly or through inheritance, the following default access is applied:

ibm-filteraclentry:group:CN=ANYBODY:(objectclass=*)normal:rsc:system:rsc
                  :restricted:rsc

Adding or editing flitered ACLs

1. Select the Filtered ACLs tab

2. Enter the following information on the Filtered ACLs tab:

   • Select the Not specified radio button to remove the ibm-filterACLInherit attribute from the selected entry.

   • Select the True radio button to allow the ACLs for the selected entry to accumulate from that entry, upward along the ancestor entry chain, to the highest filter ACL containing entry in the DIT.

   • Select the False radio button to stop the accumulation of filter ACLs at the selected entry.

3. Click Add to create new access rights for the entry or select an existing Subject DN and click Edit to modify existing filtered ACLs.

   • Specify Subject DN - Type the DN of the entity requesting access to perform operations on the selected entry, for example, cn=Ricardo Garcia,ou=austin,o=sample. We cannot modify this field if you are editing the ACL.

   • Specify the Subject type - Select the type of ACL. For example, select access-id if the DN is a user. We cannot modify this field if you are editing the ACL.

   • From the Add child menu, select whether to grant or deny the subject the right to add a directory entry beneath the selected entry. In this example, if you select grant, Ricardo Garcia is able to add child entries under ou=Widget Division.

   • From the Delete entry menu, select whether to grant or deny the subject the right to delete the selected entry. In this example, it grants or denies cn=Ricarco Garcia the ability to delete ou=Widget Division and any of its child entries.

   • Specify the filter for the selected ACL in the Object filter field. The ACL propagates to any descendant object in the associated subtree that matches the filter that you specified in this field. For example, if you specify sn=Campbell as the filter, then Ricardo Garcia has access permissions under ou=Widget Division,ou=austin,o=sample to the entries cn=David Campbell, cn=James Campbell, cn=Michael Campbell+postalcode=4609 and cn=Michael Campbell because each of the entries contain the sn attribute with the value Campbell. Click Edit filter for assistance in composing the search filter string.

   • Set the permissions for the Security class access rights for each of the security classes. We can grant the permissions individually or click Grant all or Deny all to grant or deny permissions globally. Ricardo Garcia is given the permissions you set here to all of the attributes of each security class. See Viewing access rights for more information.
     Note:

     If you select Grant all, it gives Ricardo Garcia access to the restricted attributes including the ACLs themselves. This means that Ricardo Garcia can grant himself additional permissions on the entry. For example, if the administrator denied Delete entry permission to Ricardo Garcia on the entry ou=Widget Division,ou=austin,o=sample, Ricardo Garcia could not delete the entry or any of its child entries. If the administrator also clicked Grant All for the security class permissions, Ricardo Garcia is able to change the ACL and can give himself permission to delete the child entries of ou=Widget Division,ou=austin,o=sample and the parent entry itself. If you do select Grant All when creating ACLs, you might want to explicitly deny write permission to the restricted class for security purposes.

   • Additionally, you may specify permissions based on the attribute instead of the security class to which the attribute belongs.

     • Select an attribute from the Define an attribute drop-down list.

     • Click Define. The attribute is displayed with a permissions table.

     • Specify whether to grant or deny each of the four security class permissions associated with the attribute or click Grant all or Deny all to grant or deny permissions globally .

     • We can repeat this procedure for multiple attributes.

     • To remove an attribute, simply select the attribute and click Delete.

     • When you are finished click OK to return to the Edit ACL Panel..

4. Click OK to save your changes and exit.

Removing filtered ACLs

To remove flitered ACLs:

• Select the Filtered ACLs tab

• Select the radio button next to the ACL you want to delete.

• Click Remove or click Remove all to delete all Subject DNs from the list.

• Click OK to save your changes.

 

Owners

Entry owners have complete permissions to perform any operation on an object. Entry owners can be explicit or propagated (inherited). The owner is the source of the current owner for the selected entry. If the entry does not inherit an owner from a ancestor, this field displays a message stating that this entry inherits owners from default. Adding owners to this entry overrides all inherited owners. By default the directory administrator is the owner of all of the entries in the directory.

Adding an owner

To add an owner for the entry:

1. Select the Owners tab.

   • Select the Propagate owners check box to allow descendants without an explicitly defined owner to inherit from this entry. If the check box is not selected, descendant entries without an explicitly defined owner will inherit owner from a parent of this entry that has this option enabled.

   • Specify the Subject DN. Type the (DN) Distinguished name of the entity that you are granting owner access on the selected entry, for example, cn=Ricardo Garcia,ou=austin,o=sample.

   • Select the Subject type of DN. For example, select access-id if the DN is a user.

2. Click Add.

3. Repeat the process for any additional owners that you want to create.

4. When you are finished, click OK to save your changes and exit to the Manage entries panel.

Removing an owner

To remove an owner from an entry:

1. Select the Owners tab.

2. Select the radio button next to the owner you want to delete.

3. Click Remove or click Remove all to delete all Subject DNs from the list.

4. Click OK to save your changes.

 

Using the command line utilities to manage ACLs

The following sections describe how to use the LDIF utilities to manage ACLs

 

Defining the ACIs and entry owners

The following two examples show an administrative subdomain being established. The first example shows a single user being assigned as the entryOwner for the entire domain. The second example shows a group assigned as the entryOwner.

entryOwner: access-id:cn=Person A,o=IBM 
ownerPropagate: true 

entryOwner: group:cn=System Owners, o=IBM 
ownerPropagate: true 

The next example shows how an access ID "cn=Person 1, o=IBM" is being given permissions to read, search, and compare attribute1. The permission applies to any node in the entire subtree, at or below the node containing this ACI, that matches the "(objectclass=groupOfNames)" comparison filter. The accumulation of matching ibm-filteraclentry attributes in any ancestor nodes has been terminated at this entry by setting the ibm-filterAclInherit attribute to "false".

ibm-filterAclEntry: access-id:cn=Person 1,o=IBM:(objectclass=groupOfNames):
                    at.attribute1:grant:rsc

ibm-filterAclInherit: false

The next example shows how a group "cn=Dept XYZ, o=IBM" is being given permissions to read, search and compare attribute1. The permission applies to the entire subtree below the node containing this ACI.

aclEntry: group:cn=Dept XYZ,o=IBM:at.attribute1:grant:rsc 
aclPropagate: true 

The next example shows how a role "cn=System Admins,o=IBM" is being given permissions to add objects below this node, and read, search and compare attribute2 and the critical attribute class. The permission applies only to the node containing this ACI.

aclEntry: role:cn=System Admins,o=IBM:object:grant:a:at.
         attribute2:grant:rsc:critical:grant:rsc 
aclPropagate: false

 

Modifying the ACI and entry owner values

Modify-replace

Modify-replace works the same way as all other attributes. If the attribute value does not exist, create the value. If the attribute value exists, replace the value.

Given the following ACIs for an entry:

aclEntry: group:cn=Dept ABC,o=IBM:normal:grant:rsc 
aclPropagate: true 

perform the following change:

dn: cn=some entry 
changetype: modify 
replace: aclEntry 
aclEntry: group:cn=Dept XYZ,o=IBM:normal:grant:rsc 

The resulting ACI is:

aclEntry: group:cn=Dept XYZ,o=IBM:normal:grant:rsc 
aclPropagate: true 

ACI values for Dept ABC are lost through the replace.

Given the following ACIs for an entry:

ibm-filterAclEntry: group:cn=Dept ABC,o=IBM:(cn=Manager ABC):normal
                  :grant:rsc 
ibm-filterAclInherit: true 

perform the following changes:

dn: cn=some entry 
changetype: modify 
replace: ibm-filterAclEntry 
ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):normal
                  :grant:rsc 

dn: cn=some entry 
changetype: modify 
replace: ibm-filterAclInherit 
ibm-filterAclInherit: false 

The resulting ACI is:

ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):normal
                   :grant:rsc 
ibm-filterAclInherit: false 

ACI values for Dept ABC are lost through the replace.

Modify-add

During an idsldapmodify-add, if the ACI or entryOwner does not exist, the ACI or entryOwner with the specific values is created. If the ACI or entryOwner exists, then add the specified values to the given ACI or entryOwner. For example, given the ACI:

 aclEntry: group:cn=Dept XYZ,o=IBM:normal:grant:rsc 

with a modification:

dn: cn=some entry 
changetype: modify 
add: aclEntry 
aclEntry: group:cn=Dept ABC,o=IBM:at.attribute1:grant:rsc 

would yield an multi-valued aclEntry of:

aclEntry: group:cn=Dept XYZ,o=IBM:normal:grant:rsc 
aclEntry: group:cn=Dept ABC,o=IBM:at.attribute1:grant:rsc 

For example, given the ACI:

Ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):normal
                  :grant:rsc 

with a modification:

dn: cn=some entry 
changetype: modify 
add: ibm-filterAclEntry 
ibm-filterAclEntry: group:cn=Dept ABC,o=IBM:(cn=Manager ABC)
                  :at.attribute1:grant:rsc 

would yield an multi-valued aclEntry of:

Ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):normal
                  :grant:rsc
ibm-filterAclEntry: group:cn=Dept ABC,o=IBM:(cn=Manager ABC):at.attribute1
                  :grant:rsc

The permissions under the same attribute or attribute class are considered as the basic building blocks and the actions are considered as the qualifiers. If the same permission value is being added more than once, only one value is stored. If the same permission value is being added more than once with different action values, the last action value is used. If the resulting permission field is empty (""), this permission value is set to null and the action value is set to grant.

For example, given the following ACI:

 aclEntry: group:cn=Dept XYZ,O=IBM:normal:grant:rsc 

with a modification:

dn: cn=some entry 
changetype: modify 
add: aclEntry 
aclEntry: group:cn=Dept XYZ,o=IBM:normal:deny:r:critical:deny::sensitive
        :grant:r 

yields an aclEntry of:

aclEntry: group:cn=Dept XYZ,O=IBM:normal:grant:sc:normal:deny:r:critical
        :grant::sensitive:grant:r 

For example, given the following ACI:

Ibm-filterAclEntry: group:cn=Dept XYZ,O=IBM:(cn=Manager XYZ):normal
                  :grant:rsc 

with a modification:

dn: cn=some entry 
changetype: modify 
add: ibm-filterAclEntry 
ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):normal
                  :deny:r:critical:deny::sensitive:grant:r

yields an aclEntry of:

ibm-filterAclEntry: group:cn=Dept XYZ,O=IBM:(cn=Manager XYZ):normal
                  :grant:sc:normal:deny:r:critical:grant::sensitive
                  :grant:r 

Modify-delete

To delete a particular ACI value, use the regular idsldapmodify-delete syntax.

Given an ACI of:

aclEntry: group:cn=Dept XYZ,o=IBM:object:grant:ad 
aclEntry: group:cn=Dept XYZ,o=IBM:normal:grant:rwsc 

dn: cn = some entry 
changetype: modify 
delete: aclEntry 
aclEntry: group:cn=Dept XYZ,o=IBM:object:grant:ad 

yields a remaining ACI on the server of :

aclEntry: group:cn=Dept XYZ,o=IBM:normal:grant:rwsc 

Given an ACI of:

ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):object
                  :grant:ad 
ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):normal
                  :grant:rwsc 
      
dn: cn = some entry 
changetype: modify 
delete: ibm-filterAclEntry 
ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):object
                  :grant:ad 

yields a remaining ACI on the server of:

ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):normal
                  :grant:rwsc 

Deleting an ACI or entryOwner value that does not exist results in an unchanged ACI or entryOwner and a return code specifying that the attribute value does not exist.

 

Deleting the ACI/entry owner values

With the idsldapmodify-delete operation, the entryOwner can be deleted by specifying

dn: cn = some entry 
changetype: modify 
delete: entryOwner 

In this case, the entry would then have no explicit entryOwner. The ownerPropagate is also removed automatically. This entry would inherit its entryOwner from the ancestor node in the directory tree following the propagation rule.

The same can be done to delete aclEntry completely:

dn: cn = some entry 
changetype: modify 
delete: aclEntry 

Deleting the last ACI or entryOwner value from an entry is not the same as deleting the ACI or entryOwner. It is possible for an entry to contain an ACI or entryOwner with no values. In this case, nothing is returned to the client when querying the ACI or entryOwner and the setting propagates to the descendent nodes until it is overridden. To prevent dangling entries that nobody can access, the directory administrator always has full access to an entry even if the entry has a null ACI or entryOwner value.

 

Retrieving the ACI/entry owner values

The effective ACI or entryOwner values can be retrieved by simply specifying the desired ACL or entryOwner attributes in a search, for example,

idsldapsearch -b "cn=object A, o=ibm" -s base "objectclass=*"     aclentry aclpropagate aclsource entryowner ownerpropagate ownersource
    ibm-filterAclEntry ibm-filterAclInherit ibm-effectiveAcl

returns all ACL or entryOwner information that is used in access evaluation on object A. Note that the returned values might not look exactly the same as they are first defined. The values are the equivalent of the original form.

Searching on the ibm-filterAclEntry attribute alone only returns the values specific to the containing entry.

A read-only operational attribute, ibm-effectiveAcl, is used to show the accumulated effective access. A search request for ibm-effectiveAcl returns the effective access that applies to the target object based on: non-filter ACLs, or filter ACLs, depending on how they have been distributed in the DIT.

Because filter-based ACLs might come from several ancestor sources, a search on the aclSource attribute produces a list of the associated sources.

 

Subtree replication considerations

For non-filter-based access to be included in subtree replication, any aclEntry attributes must reside at the associated ibm-replicationContext entry. Because effective access cannot be propagated from an ancestor entry above a replicated subtree, the aclPropagate attribute must be set to a value of true.

For filter-based access to be included in subtree replication, any ibm-filterAclEntry attributes must reside at, or below, the associated ibm-replicationContext entry. Because effective access cannot be accumulated from an ancestor entry above a replicated subtree, the ibm-filterAclInherit attribute must be set to a value of false, and reside at the associated ibm-replicationContext entry.

[ Top of Page | Previous Page | Next Page | Contents | Index ]