PingDirectory

Overview of access control

The access control model uses access control instructions (ACIs) to determine what a user or a group of users can do with a set of entries, down to the attribute level.

The ACIs are stored in the aci operational attribute. The operational attribute can appear on any entry and affects the entry or any subentries within that branch of the directory information tree (DIT).

Access control instructions specify four items:

Resources

Resources are the targeted items or objects that specifies the set of entries and operations to which the access control instruction applies. For example, you can specify access to certain attributes, such as the cn or userPassword password.

Name

Name is the descriptive label for each ACI. Typically, you have multiple ACIs for a given branch of your DIT. The access control name helps describe its purpose. For example, you can configure an ACI labeled "ACI to grant full access to administrators."

Clients

Clients are the users or entities to which you grant or deny access. You can specify individual users or groups of users using an LDAP URL. For example, you can specify a group of administrators using the LDAP URL: groupdn="ldap:///cn=admins,ou=groups,dc=example,dc=com."

Rights

Rights are permissions granted to users or client applications. You can grant or deny access to certain branches or operations. For example, you can grant read or write permission to a telephoneNumber attribute.