Parameterized ACIs
Parameterized ACIs are useful for cases in which the data in a PingDirectory server instance has the same structure repeated many times, and when each structure needs to have a similar set of access control rules.
This is especially common in a multi-tenant environment in which users within a tenant might need access to other entries within the same tenant, but not to other entries outside their organization.
For example, consider a server that has a DIT structure like the following:
-
dc=example, dc=com
-
ou=tenants
-
ou=Company A
-
ou=People
-
ou=Groups
-
cn=Administrators
-
-
-
ou=Company B
-
ou=People
-
ou=Groups
-
cn=Administrators
-
-
-
ou=Company C
-
ou=People
-
ou=Groups
-
cn=Administrators
-
-
-
-
In each case, members of the cn=Administrators,ou=Groups,ou=<companyName>,ou=tenants,dc=example,dc=com
group might need to be able to manage entries after ou=<companyName>,ou=tenants,dc=example,dc=com
. While it might be possible to accomplish this by creating similar ACIs throughout the DIT (one for each tenant), this can also be accomplished by creating one parameterized ACI like the following example.
(target="ldap:///ou=($1),ou=tenants,dc=example,dc=com")(version 3.0; acl "Allow organization administrators to manage entries in their organization"; allow (all) groupdn="ldap:///cn=Administrators,ou=Groups,ou=($1),ou=tenants,dc=example,dc=com";)
In this case, the “($1)” is a placeholder that matches between the target
and groupdn
elements of the access control rule. If the client is authenticated as a user who is a member of any group that matches that pattern in the target
bind rule, then the value that matches the placeholder within that pattern is also substituted in place of the same pattern within the target element.
Parameterized ACIs can also be used in conjunction with the userdn
bind rule. For example, the following ACI grants any user within the organization permission to access a select set of attributes from any user within the same organization.
(target="ldap:///ou=($1),ou=tenants,dc=example,dc=com")(targetattr="uid||cn||givenName||sn||mail")(version 3.0; acl "Allow users within an organization to access select attributes from other entries in the same organization"; allow (read,search,compare) userdn="ldap:///uid=($2),ou=People,ou=($1),ou=tenants,dc=example,dc=com";)
Parameterized DNs used in the userdn
or groupdn
bind rules can have multiple placeholders. Not all of those placeholders need to be used in the target.