Page created: 6 Nov 2019
|
Page updated: 25 Mar 2020
The access control model uses access control instructions (ACIs), which are stored in the
aci
operational attribute, to determine what a user or a group of users can
do with a set of entries, down to the attribute level. The operational attribute can appear on
any entry and affects the entry or any subentries within that branch of the directory
information tree (DIT).
Access control instructions specifies four items:
-
Resources. Resources are the targeted items or objects that specifies the
set of entries and/or operations to which the access control instruction applies. For
example, you can specify access to certain attributes, such as the
cn
oruserPassword
password. - Name. Name is the descriptive label for each access control instruction. Typically, you will have multiple access control instructions for a given branch of your DIT. The access control name helps describe its purpose. For example, you can configure an access control instructions labelled "ACI to grant full access to administrators."
-
Clients. Clients are the users or entities to which you grant or deny
access. You can specify individual users or groups of users using an LDAP URL. For
example, you can specify a group of administrators using the LDAP URL:
groupdn="ldap:///cn=admins,ou=groups,dc=example,dc=com."
-
Rights. Rights are permissions granted to users or client applications.
You can grant or deny access to certain branches or operations. For example, you can grant
read
orwrite
permission to atelephoneNumber
attribute.