--- title: Examples of common access control rules description: This section demonstrates access controls that are commonly used in your environment. component: pingdirectory version: 11.0 page_id: pingdirectory:managing_access_control:pd_ds_common_access_control_rules canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/managing_access_control/pd_ds_common_access_control_rules.html revdate: July 3, 2024 page_aliases: ["pd_ds_proxy_admin_access.adoc", "pd_ds_anon_and_authn_access.adoc", "pd_ds_delegated_access_to_manager.adoc", "pd_ds_proxy_authn.adoc"] section_ids: administrator-access: Administrator access anonymous-and-authenticated-access: Anonymous and authenticated access delegated-access-to-a-manager: Delegated access to a manager proxy-authorization: Proxy authorization --- # Examples of common access control rules This section demonstrates access controls that are commonly used in your environment. To modify access control definitions in the server, a user must have the `modify-acl` privilege. ## Administrator access The following access control instructions (ACIs) grant members of the `cn=admins,ou=groups,dc=example,dc=com` group the following permissions: * Add, modify, and delete entries * Reset passwords * Read operational attributes, such as `isMemberOf` and password policy state ``` aci: (targetattr="+")(version 3.0; acl "Administrators can read, search or compare operational attributes"; allow (read,search,compare) groupdn="ldap:///cn=admins,ou=groups,dc=example,dc=com";) aci: (targetattr="*")(version 3.0; acl "Administrators can add, modify and delete entries"; allow (all) groupdn="ldap:///cn=admins,ou=groups,dc=example,dc=com";) ``` ## Anonymous and authenticated access The following ACIs allow anonymous read, search, and compare on select attributes of `inetOrgPerson` entries while authenticated users can access several more. An authenticated user inherits the privileges of the anonymous ACI and can also change `userPassword`. ``` aci: (targetattr="objectclass || uid || cn || mail || sn || givenName")(targetfilter="(objectClass=inetorgperson)") (version 3.0; acl "Anyone can access names and email addresses of entries representing people"; allow (read,search,compare) userdn="ldap:///anyone";) aci: (targetattr="departmentNumber || manager || isMemberOf")(targetfilter="(objectClass=inetorgperson)") (version 3.0; acl "Authenticated users can access these fields for entries representing people"; allow (read,search,compare) userdn="ldap:///all";) aci: (targetattr="userPassword")(version 3.0; acl "Authenticated users can change password"; allow (write) userdn="ldap:///all";) ``` To prevent anonymous access to the directory server, set the global configuration property `reject-unauthenticated-requests` to `true`. ## Delegated access to a manager The following ACI allows an employee's manager to edit the value of the employee's `telephoneNumber` attribute. This ACI uses the `userattr` keyword with a bind type of `USERDN`, which indicates that the target entry's manager attribute must have a value equal to the distinguished name (DN) of the authenticated user. ``` aci: (targetattr="telephoneNumber") (version 3.0; acl "A manager can update telephone numbers of her direct reports"; allow (read,search,compare,write) userattr="manager#USERDN";) ``` ## Proxy authorization The following ACI allows the application `cn=OnBehalf,ou=applications,dc=example,dc=com` to use the proxied authorization V2 control to request that operations be performed using an alternate authorization identity. ``` aci: (version 3.0;acl "Application OnBehalf can proxy as another entry"; allow (proxy) userdn="ldap:///cn=OnBehalf,ou=applications,dc=example,dc=com";) ``` | | | | - | ------------------------------------------------------------ | | | The application user must have the `proxied-auth` privilege. |