Page created: 4 Feb 2020 |
Page updated: 22 Jul 2020
Global ACIs are a set of ACIs that can apply to entries anywhere in the server (although they can also be scoped so that they only apply to a specific set of entries). They work in conjunction with access control rules stored in user data and provide a convenient way to define ACIs that span disparate portions of the DIT.
In the PingDirectoryProxy Server, global ACIs are defined
within the server configuration, in the
global-aci property of configuration
object for the access control handler. They can be viewed and managed using configuration
tools like dsconfig and the Administrative Console.
The global ACIs available by default in the PingDirectoryProxy Server include:
- Allow anyone (including unauthenticated users) to access key attributes of the root DSE,
- Allow anyone (including unauthenticated users) to access key attributes of the subschema
- Allow anyone (including unauthenticated users) to include the following controls in requests made to the server: authorization identity request, manage DSA IT, password policy, real attributes only, and virtual attributes only.
- Allow anyone (including unauthenticated users) to request the following extended operations: get symmetric key, password modify request, password policy state, StartTLS, and Who Am I?