An example focus problem and solution
A problem in focusing an access control item can occur when we create a customized access item for an account object class.
For example, we might intend to prevent Read and Write operations for the Description attribute of an account object class. We might specify a permission value of None for both operations. We select the membership of the access control item as the owner of the service on which the account resides. Testing the new access control item, you then log on as the service owner and begin to request an account for another user. You discover that we are still able to both read and write the account description field.
There are two causes.
- The membership specification of the new access control item applies to accounts that exist. In this case, the membership is for the owner of the service on which an existing account resides. However, the access control item does not prevent Read and Write operations during the account creation process, before the account exists.
- As service owner, you belong to the service owner group, which has an access control item named Default ACI for Account: Grant All to Supervisor/Domain Admin/Sponsor/Service Owner/Access Owner.
In your customized access control item, you specified a permission value of None for both operations. However, the default access control item specifies a permission value of Grant. The Grant permission takes precedence over a value of None in any other access control item that applies to the operation.
We might change your customized access control item.
- Change the permission value to Deny for the Read and Write operations. The use of Deny by one access control item overrides an explicit Grant by other access control items. Use the Deny selection sparingly because an explicit denial overrides all other choices.
- Change the membership of the customized access control item to include the service owner group. The change ensures that the access control item applies during account creation.
Parent topic: Access control item management issues