63 lines
3.4 KiB
HTML
63 lines
3.4 KiB
HTML
|
<?xml version="1.0" encoding="utf-8"?>
|
||
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
||
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="dc.language" scheme="rfc1766" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow"/>
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<title>Directory Server (LDAP) - Define the ACIs and entry owners</title>
|
||
|
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="ic.css" />
|
||
|
</head>
|
||
|
<body>
|
||
|
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
|
||
|
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
|
||
|
|
||
|
|
||
|
<a name="rzahydefaci"></a>
|
||
|
<h4 id="rzahydefaci">Define the ACIs and entry owners</h4>
|
||
|
<p>The following two examples show an administrative subdomain being established.
|
||
|
The first example shows a single user being assigned as the entryOwner for
|
||
|
the entire domain. The second example shows a group assigned as the entryOwner. </p>
|
||
|
<pre class="xmp">entryOwner: access-id:cn=Person A,o=IBM
|
||
|
ownerPropagate: true
|
||
|
|
||
|
entryOwner: group:cn=System Owners, o=IBM
|
||
|
ownerPropagate: true
|
||
|
</pre>
|
||
|
<p>The next example shows how an access-id "cn=Person 1, o=IBM" is being given
|
||
|
permissions to read, search, and compare attribute1. The permission applies
|
||
|
to any node in the entire subtree, at or below the node containing this ACI,
|
||
|
that matches the "(objectclass=groupOfNames)" comparison filter. The accumulation
|
||
|
of matching ibm-filteraclentry attributes in any ancestor nodes has been terminated
|
||
|
at this entry by setting the ibm-filterAclInherit attribute to "false".</p>
|
||
|
<pre class="xmp">ibm-filterAclEntry: access-id:cn=Person 1,o=IBM:(objectclass=groupOfNames):
|
||
|
at.attribute1:grant:rsc
|
||
|
|
||
|
ibm-filterAclInherit: false
|
||
|
</pre>
|
||
|
<p>The next example shows how a group "cn=Dept XYZ, o=IBM" is being given
|
||
|
permissions to read, search and compare attribute1. The permission applies
|
||
|
to the entire subtree below the node containing this ACI. </p>
|
||
|
<pre class="xmp">aclEntry: group:cn=Dept XYZ,o=IBM:at.attribute1:grant:rsc
|
||
|
aclPropagate: true </pre>
|
||
|
<p>The next example shows how a role "cn=System Admins,o=IBM" is being given
|
||
|
permissions to add objects below this node, and read, search and compare attribute2
|
||
|
and the critical attribute class. The permission applies only to the node
|
||
|
containing this ACI. </p>
|
||
|
<pre class="xmp">aclEntry: role:cn=System Admins,o=IBM:object:grant:a:at.
|
||
|
attribute2:grant:rsc:critical:grant:rsc
|
||
|
aclPropagate: false</pre>
|
||
|
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
|
||
|
</body>
|
||
|
</html>
|