PingOne Advanced Services

ACIs

To add, modify, or remove access control instructions (ACIs), submit a request through the service request form, accessible from the Support Portal.

About this task

Global ACIs are a set of ACIs that can apply to entries anywhere in the server, but they can also be scoped so that they only apply to a specific set of entries. These ACIs work in conjunction with access control rules stored in user data and provide a convenient way to define ACIs that span disparate portions of the DIT (Directory Information Tree).

You can apply Global ACIs to administrator access, anonymous and authenticated access, delegated access to a manager or for proxy authorization. The following table includes access control components, descriptions, and the syntax used for each component.

Access Control Components Description Syntax

targets

This component specifies the set of entries or attributes that the access control rule applies to.

Syntax: (target keyword = || != expression)

name

This component specifies the name of the ACI.

permissions

This component specifies the type of operations to which an access control rule might apply.

Syntax: allow||deny (permission)

bind rules

This component specifies the criteria that indicate whether an access control rule should apply to a given requester.

Syntax: bind rule keyword = ||!= expression;

The bind rule syntax requires that it be terminated with a ";".

For additional information, see Defining global ACIs in thePingDirectory Server Administration Guide.

Steps

  1. Complete the following fields:

    • Subject: Enter a description of your request, including the action to be taken.

    • Environment Type: Specify the type of environment affected by this request.

    • Proposed Change Window: Specify the dates or times in which you want the work complete.

  2. In the Capability list, select PingDirectory service request → ACIs.

  3. If you want to use an ACI that you constructed, select the Do you have ACI already? option.

  4. In the Base DN that ACI applies to field, select the parent Base DN that the ACI should apply to. Note that this ACI will apply to all subtrees below this Base DN.

  5. In the Attributes(s) to apply to (comma separated) field, provide a comma-separated list of attributes that should be allowed or denied by this ACI.

  6. In the DN of user or group field, provide the User DN or Group DN that the ACI will apply to, which will determine who is allowed or denied access.

  7. In the Is the target a user or group? field, indicate whether the target is a user or a group based on the DN provided in the previous step.

  8. In the Does this ACI allow or deny access? field, indicate whether the ACI should allow access to users with the selected attribute or deny access.

  9. In the Permissions field, select the permissions you want to grant or deny to the target users or groups.

  10. If you have a complete ACI, paste it into the Advanced (supply a raw ACI)field.

  11. In the Business Priority list, select the appropriate description:

    • Change needed by deadline to avoid business impact

    • Change modifies existing functionality

    • Change adds new functionality

  12. In the Description field, provide a description of the request.

  13. If you are tracking your request within your organization, enter the tracking ID or ticket number associated with it in the Customer Tracking ID field.

  14. To submit your request, click Save.