Filtered ACLs and non-filtered ACLs

Directory Server, Version 6.1

Appendix K. Filtered ACLs and non-filtered ACLs – sample LDIF file

To have a complete understanding of the ACL models, an administrator can best learn through hands on trial. Create sample data with sample ACLs for your directory and check the effective ACLs of each of the entries to ensure that the ACL scheme is correct for the desired access.
Included is a sample LDIF file that contains combinations of filtered ACLs and non-filtered ACLs. This sample LDIF file can be loaded onto a directory server.
In this sample LDIF file, there is one suffix entry, two user entries and 17 additional entries spread over 5 levels of the directory tree. Each entry has a two-digit designation. The first digit identifies the level where the entry is in the directory tree. The entries are also numbered on each level, incrementally, from left to right. This numbering format is reflected in the second digit.
Figure 19. Filtered ACLs and non-filtered ACLs
LDIF File:

version: 1

dn: o=sample
objectclass: organization
objectclass: top
o: IBM

dn: cn=User1, o=sample
cn: User1
sn: User
objectclass: person
objectclass: top
userPassword: User1

dn: o=Level11, o=sample
o: Level11
objectclass: organization
objectclass: top

dn: o=Level21, o=Level11, o=sample
o: Level21
objectclass: organization
objectclass: top
ibm-filterAclEntry: access-id:CN=USER1,o=sample:(o=Level32):normal:rwsc:
	sensitive:rsc:critical:rsc

dn: o=Level31, o=Level21, o=Level11, o=sample
o: Level31
objectclass: organization
objectclass: top
ibm-filterAclInherit: FALSE

dn:o=Level41, o=Level31, o=Level21, o=Level11, o=sample
o: Level41
objectclass: organization
objectclass: top

dn: o=Level32, o=Level21, o=Level11, o=sample
o: Level32
objectclass: organization
objectclass: top
ibm-filterAclEntry: access-id:CN=USER1,o=sample:(o=Level42):normal:rwsc:
	sensitive:rsc:critical:rsc
ibm-filterAclEntry: access-id:CN=USER1,o=sample:(o=Level43):normal:rwsc:
	sensitive:rwsc:critical:rsc
ibm-filterAclEntry: access-id:CN=USER2,o=sample:(o=Level44):normal:rwsc:
	sensitive:rsc:critical:rsc

dn: o=Level42, o=Level32, o=Level21, o=Level11, o=sample
o: Level42
objectclass: organization
objectclass: top

dn: o=Level43, o=Level32, o=Level21, o=Level11, o=sample
o: Level43
objectclass: organization
objectclass: top
ibm-filterAclEntry: access-id:CN=USER1,o=sample:(o=Level43):normal:rwsc:
	sensitive:rsc:critical:rwsc

dn: o=Level44, o=Level32, o=Level21, o=Level11, o=sample
o: Level44
objectclass: organization
objectclass: top
ibm-filterAclEntry: access-id:CN=USER1,o=sample:(o=Level44):normal:rwsc:
	sensitive:rsc:critical:rsc
ibm-filterAclInherit: FALSE

dn: cn=User2, o=sample
cn: User2
sn: User
objectclass: person
objectclass: top
userPassword: User2

dn: o=Level22, o=Level11, o=sample
o: Level22
objectclass: organization
objectclass: top
aclentry: access-id:CN=USER2,o=sample:normal:rsc:at.sn:deny:c:sensitive:
	c:critical:c

dn: o=Level33, o=Level22, o=Level11, o=sample
o: Level33
objectclass: organization
objectclass: top

dn: o=Level34, o=Level22, o=Level11, o=sample
o: Level34
objectclass: organization
objectclass: top
ibm-filterAclEntry: access-id:CN=USER2,o=sample:(o=Level34):normal:rwsc:
	sensitive:rsc:critical:rsc
ibm-filterAclEntry: access-id:CN=USER2,o=sample:(o=Level51):normal:rwsc:
	sensitive:rwsc:critical:rsc
ibm-filterAclEntry: access-id:CN=USER1,o=sample:(o=Level53):normal:rwsc:
	sensitive:rsc:critical:rsc
ibm-filterAclEntry: access-id:CN=USER2,o=sample:(o=Level46):normal:rwsc:
	sensitive:rsc:critical:rsc

dn: o=Level45, o=Level34, o=Level22, o=Level11, o=sample
o: Level45
objectclass: organization
objectclass: top
aclentry: access-id:CN=USER2,o=sample:normal:rwsc:sensitive:rsc:critical
	:rsc
aclpropagate: FALSE

dn: o=Level51, o=Level45, o=Level34, o=Level22, o=Level11, o=sample
o: Level51
objectclass: organization
objectclass: top
ibm-filterAclEntry: access-id:CN=USER2,o=sample:(o=Level51):normal:rwsc:
	sensitive:rsc:critical:rsc

dn: o=Level52, o=Level45, o=Level34, o=Level22, o=Level11, o=sample
o: Level52
objectclass: organization
objectclass: top

dn: o=Level53, o=Level45, o=Level34, o=Level22, o=Level11, o=sample
o: Level53
objectclass: organization
objectclass: top

dn: o=Level46, o=Level34, o=Level22, o=Level11, o=sample
o: Level46
objectclass: organization
objectclass: top

dn: o=Level47, o=Level34, o=Level22, o=Level11, o=sample
o: Level47
objectclass: organization
objectclass: top
aclentry: access-id:CN=USER2,o=sample:normal:rwsc:sensitive:rsc:critical
	:rsc
The following is a sample search output with comments about how the ACL was calculated for that entry:
>idsldapsearch -D <admin DN> -w <admin PW> -b o=sample objectclass=* 
	ibm-effectiveACL ibm-filterAclEntry  
	ibm-filterACLInherit aclEntry aclPropagate

o=sample
aclPropagate=TRUE
aclEntry=group:CN=ANYBODY:system:rsc:normal:rsc:restricted:rsc
ibm-effectiveACL=group:CN=ANYBODY:restricted:rsc:normal:rsc:system:rsc
The effective ACL for this entry is the default ACL because the following are true:

There is no explicit non-filtered ACL defined on this entry.
There are no propagating non-filtered ACLs defined higher in the directory tree.
None of the defined filtered ACLs apply to this entry.
cn=User1,o=sample
aclPropagate=TRUE
aclEntry=group:CN=ANYBODY:system:rsc:normal:rsc:restricted:rsc
ibm-effectiveACL=group:CN=ANYBODY:restricted:rsc:normal:rsc:system:rsc
The effective ACL for this entry is the default ACL because the following are true:

There is no explicit non-filtered ACL defined on this entry.
There are no propagating non-filtered ACLs defined higher in the directory tree.
None of the defined filtered ACLs apply to this entry.
o=Level11,o=sample
aclPropagate=TRUE
aclEntry=group:CN=ANYBODY:system:rsc:normal:rsc:restricted:rsc
ibm-effectiveACL=group:CN=ANYBODY:restricted:rsc:normal:rsc:system:rsc
The effective ACL for this entry is the default ACL because the following are true:

There is no explicit non-filtered ACL defined on this entry.
There are no propagating non-filtered ACLs defined higher in the directory tree.
None of the defined filtered ACLs apply to this entry.
o=Level21,o=Level11,o=sample
ibm-filterACLInherit=TRUE
ibm-filterAclEntry=access-id:CN=USER1,o=sample:(o=Level32):normal:rwsc:
	sensitive:rsc:critical:rsc
ibm-effectiveACL=group:CN=ANYBODY:restricted:rsc:system:rsc:normal:rsc
This entry has a filtered ACL defined in it that does not apply to the entry. The filtered ACL defined in this entry only applies to an entry that has o=Level32. The effective ACL for this entry is the default ACL because the following are true:

There is no explicit non-filtered ACL defined on this entry.
There are no propagating non-filtered ACLs defined higher in the directory tree.
None of the defined filtered ACLs apply to this entry.
o=Level31,o=Level21,o=Level11,o=sample
ibm-filterACLInherit=FALSE
ibm-effectiveACL=group:CN=ANYBODY:restricted:rsc:system:rsc:normal:rsc
This entry has an ibm-filterACLInherit=FALSE defined on it. This attribute acts as a ceiling and stops the accumulation of filtered ACLs. In this case, there are no filtered ACLs defined below this entry. The effective ACL for this entry is the default ACL because the following are true:

The ibm-filterACLInherit definition causes this entry to be in filter ACL mode, and therefore excludes non-filter ACL definitions.
None of the defined filtered ACLs apply to this entry.
o=Level41,o=Level31,o=Level21,o=Level11,o=sample
ibm-effectiveACL=group:CN=ANYBODY:restricted:rsc:system:rsc:normal:rsc
The effective ACL for this entry is the default ACL because the following are true:

There is no explicit non-filtered ACL defined on this entry.
There are no propagating non-filtered ACLs defined higher in the directory tree.
None of the defined filtered ACLs apply to this entry.
o=Level32,o=Level21,o=Level11,o=sample
ibm-filterACLInherit=TRUE
ibm-filterAclEntry=access-id:CN=USER2,o=sample:(o=Level44):normal:rwsc:
	sensitive:rsc:critical:rsc
ibm-filterAclEntry=access-id:CN=USER1,o=sample:(o=Level43):normal:rwsc:
	sensitive:rwsc:critical:rsc
ibm-filterAclEntry=access-id:CN=USER1,o=sample:(o=Level42):normal:rwsc:
	sensitive:rsc:critical:rsc
ibm-effectiveACL=access-id:CN=USER1,o=sample:normal:rwsc:sensitive:rsc:
	critical:rsc
The attribute ibm-filterACLInherit=TRUE means that this entry does not act as a ceiling for any filtered ACLs.
The three ibm-filterAclEntry attributes provide an example of how a filtered ACL can be defined on one entry and apply to another entry. In this case the three filtered ACLs apply to the three children of this entry but not to this entry. The effective ACL was calculated by an accumulation of all the filtered ACLs which applied to this entry. There was only one filtered ACL that applied to this entry, which is the filtered ACL defined on the o=Level21,o=Level11,o=sample entry. No other filtered ACLs apply to this entry, so the effective ACL is taken directly from the filtered ACL defined on the o=Level21,o=Level11,o=sample entry.
o=Level42,o=Level32,o=Level21,o=Level11,o=sample
ibm-effectiveACL=access-id:CN=USER1,o=sample:normal:rwsc:sensitive:rsc:
	critical:rsc
The filtered ACL defined on the o=Level32,o=Level21,o=Level11,o=sample entry is used to calculate the effective ACL for this entry.
o=Level43,o=Level32,o=Level21,o=Level11,o=sample
ibm-filterACLInherit=TRUE
ibm-filterAclEntry=access-id:CN=USER1,o=sample:(o=Level43):normal:rwsc:
	sensitive:rsc:critical:rwsc
ibm-effectiveACL=access-id:CN=USER1,o=sample:normal:rwsc:sensitive:rwsc:
	critical:rwsc
This entry is a simple example of how filtered ACLs accumulate. The filtered ACL defined on the o=Level32,o=Level21,o=Level11,o=sample entry is combined with the filtered ACL defined on the o=Level43,o=Level32,o=Level21,o=Level11,o=sample entry to give read, write, search and compare access to all three classes of attributes for user 1.
o=Level44,o=Level32,o=Level21,o=Level11,o=sample
ibm-filterACLInherit=FALSE
ibm-filterAclEntry=access-id:CN=USER1,o=sample:(o=Level44):normal:rwsc:
	sensitive:rsc:critical:rsc
ibm-effectiveACL=access-id:CN=USER1,o=sample:normal:rwsc:sensitive:rsc:
	critical:rsc
This entry is a simple example of how the ibm-filterACLInherit attribute can be used to stop the accumulation of filtered ACLs. The filtered ACL defined on the o=Level32,o=Level21,o=Level11,o=sample entry does not apply to this entry because ibm-filterACLInherit=FALSE. Only the filtered ACL defined on the o=Level44,o=Level32,o=Level21,o=Level11,o=sample entry applies to give access to user 1. If the ibm-filterACLInherit value is changed to TRUE, the effective ACL gives access to both user 2 and user 1, and looks like the following:
ibm-effectiveACL=access-id:CN=USER2,o=sample:normal:rwsc:sensitive:rsc:
	critical:rsc
ibm-effectiveACL=access-id:CN=USER1,o=sample:normal:rwsc:sensitive:rsc:
	critical:rsc
cn=User2,o=sample
aclPropagate=TRUE
aclEntry=group:CN=ANYBODY:system:rsc:normal:rsc:restricted:rsc
ibm-effectiveACL=group:CN=ANYBODY:restricted:rsc:normal:rsc:system:rsc
The effective ACL for this entry is the default ACL because the following are true:

There is no explicit non-filtered ACL defined on this entry.
There are no propagating non-filtered ACLs defined higher in the directory tree.
None of the defined filtered ACLs apply to this entry.
o=Level22,o=Level11,o=sample
aclPropagate=TRUE
aclEntry=access-id:CN=USER2,o=sample:sensitive:c:at.sn:deny:c:normal:
	rsc:critical:c
ibm-effectiveACL=access-id:CN=USER2,o=sample:critical:c:normal:rsc:
	at.sn:deny:c:sensitive:c
This is an example of non-filtered ACLs. The effective ACL for this entry is the ACL defined in the entry.
Note:

The value returned in the effective ACL is the server's normalized value.
o=Level33,o=Level22,o=Level11,o=sample
aclPropagate=TRUE
aclEntry=access-id:CN=USER2,o=sample:sensitive:c:at.sn:deny:c:normal:
	rsc:critical:c
ibm-effectiveACL=access-id:CN=USER2,o=sample:critical:c:normal:rsc:
	at.sn:deny:c:sensitive:c
This is an example of the non-filtered ACL defined on the o=Level22,o=Level11,o=sample entry propagating down to the o=Level33,o=Level22,o=Level11,o=sample entry. This propagation occurs because the aclPropagate attribute was set to TRUE in the o=Level22,o=Level11,o=sample entry.
o=Level34,o=Level22,o=Level11,o=sample
ibm-filterACLInherit=TRUE
ibm-filterAclEntry=access-id:CN=USER2,o=sample:(o=Level46):normal:rwsc:
	sensitive:rsc:critical:rsc
ibm-filterAclEntry=access-id:CN=USER1,o=sample:(o=Level53):normal:rwsc:
	sensitive:rsc:critical:rsc
ibm-filterAclEntry=access-id:CN=USER2,o=sample:(o=Level51):normal:rwsc:
	sensitive:rwsc:critical:rsc
ibm-filterAclEntry=access-id:CN=USER2,o=sample:(o=Level34):normal:rwsc:
	sensitive:rsc:critical:rsc
ibm-effectiveACL=access-id:CN=USER2,o=sample:normal:rwsc:sensitive:rsc:
	critical:rsc
This entry has 4 filtered ACLS defined in it. One of the filtered ACLs applies to this entry. The effective ACL is a result of this filtered ACL.
Note:

The non-filter ACL defined on the o=Level22,o=Level11,o=sample entry did not propagate to this entry. The non-filtered ACL did not propagate to this entry because filtered ACLs are defined on this entry, and only one kind of ACL can exist on a given entry.
o=Level45,o=Level34,o=Level22,o=Level11,o=sample
aclPropagate=FALSE
aclEntry=access-id:CN=USER2,o=sample:sensitive:rsc:normal:rwsc:critical:
	rsc
ibm-effectiveACL=access-id:CN=USER2,o=sample:critical:rsc:normal:rwsc:
	sensitive:rsc
This entry has an explicit non-filtered ACL defined, and the effective ACL is taken from the explicitly defined ACL. Because aclPropagate is FALSE, the defined non-filtered ACL does not propagate down the tree.
o=Level51,o=Level45,o=Level34,o=Level22,o=Level11,o=sample
ibm-filterACLInherit=TRUE
ibm-filterAclEntry=access-id:CN=USER2,o=sample:(o=Level51):normal:rwsc:
	sensitive:rsc:critical:rsc
ibm-effectiveACL=access-id:CN=USER2,o=sample:normal:rwsc:sensitive:rwsc:
	critical:rsc
This entry is an example of how filtered ACLs can accumulate even past a non-filtered ACL entry. The effective ACL for the entry is a combination of the filtered ACL defined on the o=Level34,o=Level22,o=Level11,o=sample entry and the o=Level51,o=Level45,o=Level34,o=Level22,o=Level11,o=sample entry.
o=Level52,o=Level45,o=Level34,o=Level22,o=Level11,o=sample
ibm-effectiveACL=group:CN=ANYBODY:restricted:rsc:system:rsc:normal:rsc
The effective ACL for this entry is the default ACL. Because the entry does not have any explicit ACL attributes to set the mode to either filtered or not filtered, look up the directory tree for the ACL source. The Level45 entry has non-filtered ACLs, but has aclPropagate set to FALSE, so it is not the ACL source. Then, we go to the next ancestor in the directory tree, the Level 34 entry. The Level 34 entry is of the filter ACL type. The Level 34 entry is the ACL source for the entry. Since there are no filtered ACLs in the tree that apply to the entry, the default ACL is applied.
o=Level53,o=Level45,o=Level34,o=Level22,o=Level11,o=sample
ibm-effectiveACL=access-id:CN=USER1,o=sample:normal:rwsc:sensitive:rsc:
	critical:rsc
The effective ACL for this entry is the filtered ACL defined in the o=Level34,o=Level22,o=Level11,o=sample entry.
o=Level46,o=Level34,o=Level22,o=Level11,o=sample
ibm-effectiveACL=access-id:CN=USER2,o=sample:normal:rwsc:sensitive:rsc:
	critical:rsc
The effective ACL for this entry is the propagated non-filtered ACL defined on the o=Level34,o=Level22,o=Level11,o=sample entry.
o=Level47,o=Level34,o=Level22,o=Level11,o=sample
aclPropagate=TRUE
aclEntry=access-id:CN=USER2,o=sample:sensitive:rsc:normal:rwsc:critical:
	rsc
ibm-effectiveACL=access-id:CN=USER2,o=sample:critical:rsc:normal:rwsc:
	sensitive:rsc
This entry has an explicit non-filtered ACL defined, so the effective ACL is taken from the explicitly defined ACL.

[ Top of Page | Previous Page | Next Page | Contents | Index ]