ACI rights
The rights section of an ACI defines the permissions that are granted or denied to requesters identified by the bind rule for operations against the data specified by the target.
Every ACI must allow or deny one or more rights.
read
The read
right covers access to attributes within search result entries. If a client does not have the read
right for an attribute in a search result entry, then it is stripped out of the entry when it is returned to the client.
search
The search
right covers permission to use attributes in a search filter. When performing a search (regardless of its scope), the requester must have search
permission for all attributes in the filter.
If the requester has search
permission for all attributes used in the filter, but only for a portion of the subtree used as the scope for the search, then only entries that reside in portions of the DIT where the search right is granted can be retrieved. For example, if a user has the search right for the cn
attribute below ou=People,dc=example,dc=com
, then a search based at dc=example,dc=com
with a filter that contains the cn
attribute only returns matching entries below ou=People,dc=example,dc=com
even if there are other entries matching the filter below dc=example,dc=com
but outside of ou=People,dc=example,dc=com
.
compare
The compare
right covers permission to perform a compare assertion for a specified set of attributes.
A compare assertion includes an entry DN, an attribute name, and an assertion value. If the specified entry has the given attribute with the provided assertion value, then the server returns a result of compareTrue
(result code 6). If the entry does not have the indicated attribute value, then the server returns a result of compareFalse
(result code 5). However, if the requester does not have permission to perform that compare assertion, then the server returns a result of insufficientAccessRights
(result code 50).
write
The write
right covers permission to update attributes in an entry. This includes modify operations, and it also includes modify DN operations that do not specify a newSuperior (that is, modify distinguished name (DN) operations that only attempt to rename an entry and do not attempt to move it beneath a new parent). This does not include adding new entries or deleting existing entries.
selfwrite
The selfwrite
right is a limited subset of the write
permission. It covers permission for a user to add their own DN to the set of values for specified attributes or for a user to remove their own DN from the set of values for those attributes. This is typically used to allow a user to add themselves to or remove themselves from static groups.
The selfwrite
right should only be used for attributes that have a syntax of either distinguished name or name and optional UID. Attempts to use it for attributes with other syntaxes can fail or result in unexpected behavior.
add
The add
right covers permission to add new entries to the server. The requester must have add
permission for at least one attribute included in the entry to be added.
delete
The delete
right covers permission to remove entries from the server. For the delete operation, the requester only needs to have the delete
right for the target entry and not for individual attributes within the entry. However, the server enforces any targattrfilters
restrictions for attribute values contained in the entry to be deleted. If a targattrfilters
restriction is used to limit the set of values that the requester can delete, then they are only allowed to delete entries containing those values.
export
and import
Although you might assume otherwise from their names, the export
and import
rights do not have any relation to exporting data to LDIF or importing data from LDIF. Instead, these rights cover permission to move entries within the DIT (using a modify DN operation that includes a newSuperior). The export
right is required to move an entry out from under its current parent, and the import
right is required to move the entry below its new parent.
These rights are not required to perform a modify DN operation that does not attempt to move the entry below a new parent. That is covered by the write
right.
all
The all
right is a shorthand notation that includes the capabilities of all of the other access control rights except the proxy
right. Using the all
right is equivalent to using read
, search
, compare
, write
, selfwrite
, add
, delete
, export
, and import
.
proxy
The proxy
right covers the ability to process an operation under the authority of an alternate authorization identity. This includes:
-
Requests that include a proxied authorization request control
-
Requests that include an intermediate client request control with a userIdentity
-
SASL bind requests that request an alternate authorization identity
Because the ability to impersonate another use is a very sensitive operation, the requester must have the proxied-auth
privilege for the operation to be allowed.
Changing the allow add ACI behavior for entries
You can require a bind user to have allow add
permissions for all of an entry’s attributes before allowing them to add the entry to PingDirectory.
About this task
By default, a bind user can add an entry to PingDirectory if they have allow add
permissions for at least one of the attributes in the entry. To increase your control over who is allowed to add entries to your PingDirectory datastore, you can enable the evaluate-target-attribute-rights-for-add-operations
property.
Enabling this property causes PingDirectory to require a bind user to have an allow add
access control instruction (ACI) for each attribute of the entry in the add request. If the bind user doesn’t meet this condition, or has a deny add
ACI for any target attributes of the entry to be added, PingDirectory denies the add operation.
The Before enabling this property in a production environment, you should thoroughly test your existing access control configuration. You might discover cases where you need to add or augment access control rules to ensure that your authorized bind users can continue to add entries as expected. |
Steps
-
Modify the
evaluate-target-attribute-rights-for-add-operations
property.Choose from:
-
Enable the property.
$ bin/dsconfig set-access-control-handler-prop \ --set evaluate-target-attribute-rights-for-add-operations:true
-
Disable the property.
$ bin/dsconfig set-access-control-handler-prop \ --set evaluate-target-attribute-rights-for-add-operations:false
-