ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahy_5.4.0.1/rzahyacl.htm

88 lines
5.4 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Directory Server (LDAP) - Access control lists</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
<a name="rzahyacl"></a>
<h3 id="rzahyacl">Access control lists</h3>
<p>Access control lists (ACLs) provide a means to protect information stored
in a LDAP directory. Administrators use ACLs to restrict access to different
portions of the directory, or specific directory entries. Changes to each
entry and attribute in the directory can be controlled by using ACLs. An ACL
for a given entry or attribute can be inherited from its parent entry or can
be explicitly defined.</p>
<p>It is best to design your access control strategy by creating groups of
users that you will use when setting the access for objects and attributes.
Set ownership and access at the highest level in the tree possible and let
the controls inherit down the tree.</p>
<p>The operational attributes associated with access control, such as entryOwner,
ownerSource, ownerPropagate, aclEntry, aclSource and aclPropagate are unusual
in that they are logically associated with each object, but can have values
that depend on other objects higher in the tree. Depending on how they are
established, these attribute values can be explicit to an object or inherited
from an ancestor.</p>
<p>The access control model defines two sets of attributes: the Access Control
Information (ACI) and the entryOwner information. The ACI defines the access
rights given to a specified subject with respect to the operations they can
perform on the objects to which they apply. The aclEntry and aclPropagate
attributes apply to the ACI definition. The entryOwner information defines
which subjects can define the ACI for the associated entry object. The entryOwner
and ownerPropagate attributes apply to the entryOwner definition.</p>
<p>There are two kinds of access control lists that you can choose from: filter-based
ACLs and non-filtered ACLs. Non-filtered ACLs apply explicitly to the directory
entry that contains them, but can be propagated to none, or all of its descendant
entries. Filter-based ACLs differ in that they employ a filter-based comparison,
using a specified object filter, to match target objects with the effective
access that applies to them.</p>
<p>Using ACLs, administrators can restrict access to different portions of
the directory, specific directory entries and, based on the attribute name
or attribute access class, the attributes contained in the entries. Each
entry within the LDAP directory has a set of associated ACI. In conformance
with the LDAP model, the ACI and entryOwner information is represented as
attribute-value pairs. Furthermore, the LDIF syntax is used to administer
these values. The attributes are: </p>
<ul>
<li>aclEntry</li>
<li>aclPropagate</li>
<li>ibm-filterAclEntry</li>
<li>ibm-filterAclInherit</li>
<li>entryOwner</li>
<li>ownerPropagate</li></ul>
<p>For information about how to work with ACLs, see <a href="rzahywac-pi.htm#rzahywac-pi">Manage access control lists (ACLs)</a>.
For additional information, see the following:</p>
<ul>
<li><a href="rzahyfilteracls.htm#rzahyfilteracls">Filtered ACLs</a></li>
<li><a href="rzahyaclasyn.htm#rzahyaclasyn">The access control attribute syntax</a></li>
<li><a href="rzahyaclentry.htm#rzahyaclentry">AclEntry and ibm-filterAclEntry</a></li>
<li><a href="rzahyentryowner.htm#rzahyentryowner">EntryOwner</a></li>
<li><a href="rzahypropagation.htm#rzahypropagation">Propagation</a></li>
<li><a href="rzahyaccesseval.htm#rzahyaccesseval">Access evaluation</a></li>
<li><a href="rzahydefaci.htm#rzahydefaci">Define the ACIs and entry owners</a></li>
<li><a href="rzahymodaci.htm#rzahymodaci">Change the ACI and entry owner values</a></li>
<li><a href="rzahydelaci.htm#rzahydelaci">Delete the ACI/entry owner values</a></li>
<li><a href="rzahyretaci.htm#rzahyretaci">Retrieve the ACI/entry owner values</a></li>
<li><a href="rzahysubtree.htm#rzahysubtree">Subtree replication considerations</a></li></ul>
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>