Global ACIs are a set of ACIs that apply to entries anywhere in the server or scoped to only apply to a specific set of entries.
Global ACIs work in conjunction with ACRs stored in user data and provide a convenient way to define ACIs that span disparate portions of the directory information tree (DIT).
In the Server, global ACIs are defined within the server
configuration, in the
global-aci property of the configuration object for the
access control handler. To view and manage global ACIs, use configuration tools like
dsconfig and the administrative console.
The global ACIs available by default in the Server include:
- Allow anyone, including unauthenticated users, to access key attributes of the root
DSA-specific entry (DSE), including:
- Allow anyone, including unauthenticated users, to access key attributes of the subschema
- Allow anyone, including unauthenticated users, to include the following controls in
requests made to the server:
- Authorization identity request
- Manage DSA IT
- Password policy
- Real attributes only
- Virtual attributes only
- Allow anyone, including unauthenticated users, to request the following extended
- Get symmetric key
- Password modify request
- Password policy state
- Who Am I?