ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahy_5.4.0.1/rzahymodaci.htm

156 lines
7.6 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Directory Server (LDAP) - Change the ACI and entry owner values</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
<a name="rzahymodaci"></a>
<h4 id="rzahymodaci">Change the ACI and entry owner values</h4>
<dl>
<dt class="bold">Modify-replace</dt>
<dd>Modify-replace works the same way as all other attributes. If the attribute
value does not exist, create the value. If the attribute value exists, replace
the value.
<p>Given the following ACIs for an entry: </p>
<pre class="xmp">aclEntry: group:cn=Dept ABC,o=IBM:normal:grant:rsc
aclPropagate: true </pre><p class="indatacontent">perform the following change: </p>
<pre class="xmp">dn: cn=some entry
changetype: modify
replace: aclEntry
aclEntry: group:cn=Dept XYZ,o=IBM:normal:grant:rsc
</pre><p class="indatacontent">The resulting ACI is: </p>
<pre class="xmp">aclEntry: group:cn=Dept XYZ,o=IBM:normal:grant:rsc
aclPropagate: true </pre><p class="indatacontent">ACI values for Dept ABC are lost through the replace.</p>
<p>Given the following ACIs for an entry: </p>
<pre class="xmp">ibm-filterAclEntry: group:cn=Dept ABC,o=IBM:(cn=Manager ABC):normal
:grant:rsc
ibm-filterAclInherit: true </pre><p class="indatacontent">perform the following changes: </p>
<pre class="xmp">dn: cn=some entry
changetype: modify
replace: ibm-filterAclEntry
ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):normal
:grant:rsc
dn: cn=some entry
changetype: modify
replace: ibm-filterAclInherit
ibm-filterAclInherit: false </pre><p class="indatacontent">The resulting ACI is: </p>
<pre class="xmp">ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):normal
:grant:rsc
ibm-filterAclInherit: false </pre><p class="indatacontent">ACI values for Dept ABC are lost through
the replace.</p>
</dd>
<dt class="bold">Modify-add</dt>
<dd>During an ldapmodify-add, if the ACI or entryOwner does not exist, the
ACI or entryOwner with the specific values is created. If the ACI or entryOwner
exists, then add the specified values to the given ACI or entryOwner. For
example, given the ACI:
<pre class="xmp"> aclEntry: group:cn=Dept XYZ,o=IBM:normal:grant:rsc</pre>with a modification:
<pre class="xmp">dn: cn=some entry
changetype: modify
add: aclEntry
aclEntry: group:cn=Dept ABC,o=IBM:at.attribute1:grant:rsc </pre>would yield
an multi-valued aclEntry of:
<pre class="xmp">aclEntry: group:cn=Dept XYZ,o=IBM:normal:grant:rsc
aclEntry: group:cn=Dept ABC,o=IBM:at.attribute1:grant:rsc </pre>
<p>For example,
given the ACI: </p>
<pre class="xmp">Ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):normal
:grant:rsc </pre><p class="indatacontent">with a modification: </p>
<pre class="xmp">dn: cn=some entry
changetype: modify
add: ibm-filterAclEntry
ibm-filterAclEntry: group:cn=Dept ABC,o=IBM:(cn=Manager ABC)
:at.attribute1:grant:rsc </pre><p class="indatacontent">would yield an multi-valued
aclEntry of: </p>
<pre class="xmp">Ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):normal
:grant:rsc
ibm-filterAclEntry: group:cn=Dept ABC,o=IBM:(cn=Manager ABC):at.attribute1
:grant:rsc</pre>
<p>The permissions under the same attribute
or attribute class are considered as the basic building blocks and the actions
are considered as the qualifiers. If the same permission value is being added
more than once, only one value is stored. If the same permission value is
being added more than once with different action values, the last action value
is used. If the resulting permission field is empty (""), this permission
value is set to null and the action value is set to <span class="bold">grant</span></p>.
<p>For example, given the following ACI: </p>
<pre class="xmp"> aclEntry: group:cn=Dept XYZ,O=IBM:normal:grant:rsc
</pre><p class="indatacontent">with a modification: </p>
<pre class="xmp">dn: cn=some entry
changetype: modify
add: aclEntry
aclEntry: group:cn=Dept XYZ,o=IBM:normal:deny:r:critical:deny::sensitive
:grant:r
</pre><p class="indatacontent">yields an aclEntry of: </p>
<pre class="xmp">aclEntry: group:cn=Dept XYZ,O=IBM:normal:grant:sc:normal:deny:r:critical
:grant::sensitive:grant:r
</pre>
<p>For example, given the following ACI: </p>
<pre class="xmp">Ibm-filterAclEntry: group:cn=Dept XYZ,O=IBM:(cn=Manager XYZ):normal
:grant:rsc </pre><p class="indatacontent">with a modification: </p>
<pre class="xmp">dn: cn=some entry
changetype: modify
add: ibm-filterAclEntry
ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):normal
:deny:r:critical:deny::sensitive:grant:r</pre><p class="indatacontent">yields an
aclEntry of: </p>
<pre class="xmp">ibm-filterAclEntry: group:cn=Dept XYZ,O=IBM:(cn=Manager XYZ):normal
:grant:sc:normal:deny:r:critical:grant::sensitive
:grant:r </pre>
</dd>
<dt class="bold">Modify-delete</dt>
<dd>To delete a particular ACI value, use the regular ldapmodify-delete
syntax.
<p>Given an ACI of: </p>
<pre class="xmp">aclEntry: group:cn=Dept XYZ,o=IBM:object:grant:ad
aclEntry: group:cn=Dept XYZ,o=IBM:normal:grant:rwsc
dn: cn = some entry
changetype: modify
delete: aclEntry
aclEntry: group:cn=Dept XYZ,o=IBM:object:grant:ad </pre><p class="indatacontent">yields a remaining
ACI on the server of :</p>
<pre class="xmp">aclEntry: group:cn=Dept XYZ,o=IBM:normal:grant:rwsc
</pre>
<p>Given an ACI of: </p>
<pre class="xmp">ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):object
:grant:ad
ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):normal
:grant:rwsc
dn: cn = some entry
changetype: modify
delete: ibm-filterAclEntry
ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):object
:grant:ad </pre><p class="indatacontent">yields a remaining ACI on the server of: </p>
<pre class="xmp">ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):normal
:grant:rwsc </pre>
<p>Deleting an ACI or entryOwner value
that does not exist results in an unchanged ACI or entryOwner and a return
code specifying that the attribute value does not exist.</p>
</dd>
</dl>
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>