Global ACIs are a set of ACIs that can apply to entries anywhere in the server (although they can also be scoped so that they only apply to a specific set of entries). They work in conjunction with access control rules stored in user data and provide a convenient way to define ACIs that span disparate portions of the DIT.
In the PingDirectoryProxy Server, global ACIs are defined
within the server configuration, in the
global-aci property of configuration
object for the access control handler. They can be viewed and managed using configuration
tools like dsconfig and the Administrative Console.
- Allow anyone (including unauthenticated users) to access key attributes of the root DSE,
- Allow anyone (including unauthenticated users) to access key attributes of the subschema
- Allow anyone (including unauthenticated users) to include the following controls in requests made to the server: authorization identity request, manage DSA IT, password policy, real attributes only, and virtual attributes only.
- Allow anyone (including unauthenticated users) to request the following extended operations: get symmetric key, password modify request, password policy state, StartTLS, and Who Am I?