Adding , editing. and removing filtered ACLs

 

Use this information to view access rights for a filtered access control list (ACL).

You can add new filtered ACLs to an entry, or edit existing filtered ACLs.

Filter-based ACLs employ a filter-based comparison, using a specified object filter, to match target objects with the effective access that applies to them.

The default behavior of filter-based ACLs is to accumulate from the lowest containing entry, upward along the ancestor entry chain, to the highest containing entry in the DIT. The effective access is calculated as the union of the access rights granted, or denied, by the constituent ancestor entries. There is an exception to this behavior. For compatibility with the subtree replication function, and to allow greater administrative control, a ceiling attribute is used as a means to stop accumulation at the entry in which it is contained.

Enter the following information on the Filtered ACLs tab:

• Accumulate filtered ACLs -

  • Select the Not specified radio button to remove the ibm-filterACLInherit attribute from the selected entry.

  • Select the True radio button to allow the ACLs for the selected entry to accumulate from that entry, upward along the ancestor entry chain, to the highest filter ACL containing entry in the DIT.

  • Select the False radio button to stop the accumulation of filter ACLs at the selected entry.

• DN (Distinguished Name) - Enter the (DN) Distinguished name of the entity requesting access to perform operations on the selected entry, for example, cn=Marketing Group.

• Type - Enter the Type of DN. For example, select access-id if the DN is a user.

Click the either the Add button to add the DN in the DN (Distinguished Name) field to the ACL list or the Edit button to change the ACLs of an existing DN.

The Add access rights and Edit access rights panels allow you to set the access rights for a new or existing Access Control List (ACLs). The Type field defaults to the type you selected on the Edit ACL panel. If you are adding an ACL, all other fields default to blank. If you are editing an ACL, the fields contain the values set last time the ACL was modified.

You can:

• Change the ACL type

• Set addition and deletion rights

• Set the object filter for filtered ACLs

• Set permissions for security classes

To set access rights:

1. Select the Type of entry for the ACL. For example, select access-id if the DN is a user.

2. The Rights section displays the addition and deletion rights of the subject.

   • Add child grants or denies the subject the right to add a directory entry beneath the selected entry.

   • Delete entry grants or denies the subject the right to delete the selected entry.

3. Set the object filter for a filter based comparison. In the Object filter field, enter the desired object filter for the selected ACL. Click the Edit filter button for assistance in composing the search filter string. The current filtered ACL propagates to any descendant object in the associated subtree that matches the filter in this field.

4. The Security class section defines permissions for attribute classes. Attributes are grouped into security classes:

   • Normal - Normal attribute classes require the least security, for example, the attribute commonName.

   • Sensitive - Sensitive attribute classes require a moderate amount of security, for example homePhone.

   • Critical - Critical attribute classes require the most security, for example, the attribute userpassword.

   • System - System attributes are read only attributes that are maintained by the server.

   • Restricted - Restricted attributes are used to define access control.

   Each security class has permissions associated with it.

   • Read - the subject can read attributes.

   • Write - the subject can change the attributes.

   • Search - the subject can search attributes.

   • Compare - the subject can compare attributes.

   Additionally, you can specify permissions based on the attribute instead of the security class to which the attribute belongs. The attribute section is listed below the Critical security class.

   • Select an attribute from the Define an attribute drop-down list.

   • Click Define. The attribute is displayed with a permissions table.

   • Specify whether to grant or deny each of the four security class permissions associated with the attribute.

   • You can repeat this procedure for multiple attributes.

   • To remove an attribute, simply select the attribute and click Delete.

   • When you are finished click OK.

You can remove ACLs in either of two ways:

• Select the radio button next to the ACL you want to delete. Click Remove.

• Click Remove all to delete all DNs from the list.

 

Parent topic:

Access control list (ACL) tasks