Adding , editing. and removing nonfiltered ACLs
Use this information to manage nonfiltered access control lists (ACLs).
You can add new nonfiltered ACLs to an entry, or edit existing non-filtered ACLs.
Non-filtered ACLs can be propagated. This means that access control information defined for one entry can be applied to all of its subordinate entries. The ACL source is the source of current ACL for the selected entry. If the entry does not have an ACL, it inherits an ACL from parent objects based on the ACL settings of the parent objects.
Enter the following information on the Non-filtered ACLs tab:
- Propagate ACLs - Select the Propagate check box to allow descendants without an explicitly defined ACL to inherit from this entry. If the check box is selected, the descendent inherits ACLs from this entry and if the ACL is explicitly defined for the child entry, then the acl which was inherited from parent is replaced with the new ACL that was added. If the check box is not selected, descendant entries without an explicitly defined ACL will inherit ACLs from a parent of this entry that has this option enabled.
- DN (Distinguished Name) - Enter the (DN) Distinguished name of the entity requesting access to perform operations on the selected entry, for example, cn=Marketing Group.
- Type - Enter the Type of DN. For example, select access-id if the DN is a user.
Click the either the Add button to add the DN in the DN (Distinguished Name) field to the ACL list or the Edit button to change the ACLs of an existing DN.
The Add access rights and Edit access rights panels allow you to set the access rights for a new or existing Access Control List (ACLs). The Type field defaults to the type you selected on the Edit ACL panel. If you are adding an ACL, all other fields default to blank. If you are editing an ACL, the fields contain the values set last time the ACL was modified.
You can:
- Change the ACL type
- Set addition and deletion rights
- Set permissions for security classes
To set access rights:
- Select the Type of entry for the ACL. For example, select access-id if the DN is a user.
- The Rights section displays the addition and deletion rights of the subject.
- Add child grants or denies the subject the right to add a directory entry beneath the selected entry.
- Delete entry grants or denies the subject the right to delete the selected entry.
- The Security class section defines permissions for attribute classes. Attributes are grouped into security classes:
- Normal - Normal attribute classes require the least security, for example, the attribute commonName.
- Sensitive - Sensitive attribute classes require a moderate amount of security, for example homePhone.
- Critical - Critical attribute classes require the most security, for example, the attribute userpassword.
- System - System attributes are read only attributes that are maintained by the server.
- Restricted - Restricted attributes are used to define access control.
Each security class has permissions associated with it.
- Read - the subject can read attributes.
- Write - the subject can change the attributes.
- Search - the subject can search attributes.
- Compare - the subject can compare attributes.
Additionally, you can specify permissions based on the attribute instead of the security class to which the attribute belongs. The attribute section is listed below the Critical security class.
- Select an attribute from the Define an attribute drop-down list.
- Click Define. The attribute is displayed with a permissions table.
- Specify whether to grant or deny each of the four security class permissions associated with the attribute.
- You can repeat this procedure for multiple attributes.
- To remove an attribute, simply select the attribute and click Delete.
- When you are finished click OK.
You can remove ACLs in either of two ways:
- Select the radio button next to the ACL you want to delete. Click Remove.
- Click Remove all to delete all DNs from the list.
Parent topic:
Access control list (ACL) tasks