Parameterized ACIs are useful for cases in which the data in a PingDirectory Server instance has the same structure repeated many times, and when each structure needs to have a similar set of access control rules.
This is especially common in a multi-tenant environment in which users within a tenant might need access to other entries within the same tenant, but not to other entries outside their organization.
For example, consider a server that has a DIT structure like the following:
dc=example, dc=com
ou=tenants
ou=Company A
ou=People
ou=Groups
cn=Administrators
ou=Company B
ou=People
ou=Groups
cn=Administrators
ou=Company C
ou=People
ou=Groups
cn=Administrators
In each case, members of the
cn=Administrators,ou=Groups,ou=<companyName>,ou=tenants,dc=example,dc=com
group might need to be able to manage entries after
ou=<companyName>,ou=tenants,dc=example,dc=com
. While it might
be possible to accomplish this by creating similar ACIs throughout the DIT (one for each
tenant), this can also be accomplished by creating one parameterized ACI like the
following example.
(target="ldap:///ou=($1),ou=tenants,dc=example,dc=com")(version 3.0; acl "Allow organization administrators to manage entries in their organization"; allow (all) groupdn="ldap:///cn=Administrators,ou=Groups,ou=($1),ou=tenants,dc=example,dc=com";)
In this case, the “($1)” is a placeholder that matches between the
target
and groupdn
elements of the access control
rule. If the client is authenticated as a user who is a member of any group that matches
that pattern in the target
bind rule, then the value that matches the
placeholder within that pattern is also substituted in place of the same pattern within
the target element.
Parameterized ACIs can also be used in conjunction with the userdn
bind rule.
For example, the following ACI grants any user within the organization permission to
access a select set of attributes from any user within the same organization.
(target="ldap:///ou=($1),ou=tenants,dc=example,dc=com")(targetattr="uid||cn||givenName||sn||mail")(version 3.0; acl "Allow users within an organization to access select attributes from other entries in the same organization"; allow (read,search,compare) userdn="ldap:///uid=($2),ou=People,ou=($1),ou=tenants,dc=example,dc=com";)
Parameterized DNs used in the userdn
or groupdn
bind
rules can have multiple placeholders. Not all of those placeholders need to be used in
the target.