88 lines
5.4 KiB
HTML
88 lines
5.4 KiB
HTML
|
<?xml version="1.0" encoding="utf-8"?>
|
||
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
||
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="dc.language" scheme="rfc1766" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow"/>
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<title>Directory Server (LDAP) - Access control lists</title>
|
||
|
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="ic.css" />
|
||
|
</head>
|
||
|
<body>
|
||
|
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
|
||
|
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
|
||
|
|
||
|
|
||
|
<a name="rzahyacl"></a>
|
||
|
<h3 id="rzahyacl">Access control lists</h3>
|
||
|
<p>Access control lists (ACLs) provide a means to protect information stored
|
||
|
in a LDAP directory. Administrators use ACLs to restrict access to different
|
||
|
portions of the directory, or specific directory entries. Changes to each
|
||
|
entry and attribute in the directory can be controlled by using ACLs. An ACL
|
||
|
for a given entry or attribute can be inherited from its parent entry or can
|
||
|
be explicitly defined.</p>
|
||
|
<p>It is best to design your access control strategy by creating groups of
|
||
|
users that you will use when setting the access for objects and attributes.
|
||
|
Set ownership and access at the highest level in the tree possible and let
|
||
|
the controls inherit down the tree.</p>
|
||
|
<p>The operational attributes associated with access control, such as entryOwner,
|
||
|
ownerSource, ownerPropagate, aclEntry, aclSource and aclPropagate are unusual
|
||
|
in that they are logically associated with each object, but can have values
|
||
|
that depend on other objects higher in the tree. Depending on how they are
|
||
|
established, these attribute values can be explicit to an object or inherited
|
||
|
from an ancestor.</p>
|
||
|
<p>The access control model defines two sets of attributes: the Access Control
|
||
|
Information (ACI) and the entryOwner information. The ACI defines the access
|
||
|
rights given to a specified subject with respect to the operations they can
|
||
|
perform on the objects to which they apply. The aclEntry and aclPropagate
|
||
|
attributes apply to the ACI definition. The entryOwner information defines
|
||
|
which subjects can define the ACI for the associated entry object. The entryOwner
|
||
|
and ownerPropagate attributes apply to the entryOwner definition.</p>
|
||
|
<p>There are two kinds of access control lists that you can choose from: filter-based
|
||
|
ACLs and non-filtered ACLs. Non-filtered ACLs apply explicitly to the directory
|
||
|
entry that contains them, but can be propagated to none, or all of its descendant
|
||
|
entries. Filter-based ACLs differ in that they employ a filter-based comparison,
|
||
|
using a specified object filter, to match target objects with the effective
|
||
|
access that applies to them.</p>
|
||
|
<p>Using ACLs, administrators can restrict access to different portions of
|
||
|
the directory, specific directory entries and, based on the attribute name
|
||
|
or attribute access class, the attributes contained in the entries. Each
|
||
|
entry within the LDAP directory has a set of associated ACI. In conformance
|
||
|
with the LDAP model, the ACI and entryOwner information is represented as
|
||
|
attribute-value pairs. Furthermore, the LDIF syntax is used to administer
|
||
|
these values. The attributes are: </p>
|
||
|
<ul>
|
||
|
<li>aclEntry</li>
|
||
|
<li>aclPropagate</li>
|
||
|
<li>ibm-filterAclEntry</li>
|
||
|
<li>ibm-filterAclInherit</li>
|
||
|
<li>entryOwner</li>
|
||
|
<li>ownerPropagate</li></ul>
|
||
|
<p>For information about how to work with ACLs, see <a href="rzahywac-pi.htm#rzahywac-pi">Manage access control lists (ACLs)</a>.
|
||
|
For additional information, see the following:</p>
|
||
|
<ul>
|
||
|
<li><a href="rzahyfilteracls.htm#rzahyfilteracls">Filtered ACLs</a></li>
|
||
|
<li><a href="rzahyaclasyn.htm#rzahyaclasyn">The access control attribute syntax</a></li>
|
||
|
<li><a href="rzahyaclentry.htm#rzahyaclentry">AclEntry and ibm-filterAclEntry</a></li>
|
||
|
<li><a href="rzahyentryowner.htm#rzahyentryowner">EntryOwner</a></li>
|
||
|
<li><a href="rzahypropagation.htm#rzahypropagation">Propagation</a></li>
|
||
|
<li><a href="rzahyaccesseval.htm#rzahyaccesseval">Access evaluation</a></li>
|
||
|
<li><a href="rzahydefaci.htm#rzahydefaci">Define the ACIs and entry owners</a></li>
|
||
|
<li><a href="rzahymodaci.htm#rzahymodaci">Change the ACI and entry owner values</a></li>
|
||
|
<li><a href="rzahydelaci.htm#rzahydelaci">Delete the ACI/entry owner values</a></li>
|
||
|
<li><a href="rzahyretaci.htm#rzahyretaci">Retrieve the ACI/entry owner values</a></li>
|
||
|
<li><a href="rzahysubtree.htm#rzahysubtree">Subtree replication considerations</a></li></ul>
|
||
|
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
|
||
|
</body>
|
||
|
</html>
|