ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahy_5.4.0.1/rzahypropagation.htm

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights                   -->
<!-- Use, duplication or disclosure restricted by            -->
<!-- GSA ADP Schedule Contract with IBM Corp.                -->
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Directory Server (LDAP) - Propagation</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link --> 
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>


<a name="rzahypropagation"></a>
<h4 id="rzahypropagation">Propagation</h4>
<p>Entries on which an aclEntry has been placed are considered to have an
explicit <span class="bold">aclEntry</span>. Similarly, if the <span class="bold">entryOwner</span> has been set on a particular entry, that entry has an explicit
owner.  The two are not intertwined, an entry with an explicit owner may or
may not have an explicit <span class="bold">aclEntry</span>, and an
entry with an explicit <span class="bold">aclEntry</span> might have
an explicit owner. If either of these values is not explicitly present on
an entry, the missing value is inherited from an ancestor node in the directory
tree.</p>
<p>Each explicit <span class="bold">aclEntry</span> or <span class="bold">entryOwner</span> applies to the entry on which it is set. Additionally, the
value might apply to all descendants that do not have an explicitly set value.
These values are considered propagated; their values propagate through the
directory tree.  Propagation of a particular value continues until another
propagating value is reached.</p>
<a name="wq65"></a>
<div class="notetitle" id="wq65">Note:</div>
<div class="notebody">Filter-based ACLs do not propagate in the same way that non-filter-based
ACLs do.  They propagate to any comparison matched objects in the associated
subtree.  See <a href="rzahyfilteracls.htm#rzahyfilteracls">Filtered ACLs</a> for more information about the
differences.</div>
<p><span class="bold">AclEntry</span> and <span class="bold">entryOwner</span> can be set to apply to just a particular entry with the propagation
value set to "false", or an entry and its subtree with the propagation value
set to "true". Although both <span class="bold">aclEntry</span> and <span class="bold">entryOwner</span> can propagate, their propagation is
not linked in anyway.</p>
<p>The <span class="bold">aclEntry</span> and <span class="bold">entryOwner</span> attributes allow multi-values, however, the propagation attributes
(<span class="bold">aclPropagate</span> and <span class="bold">ownerPropagate</span>) can only have a single value for all <span class="bold">aclEntry</span> or <span class="bold">entryOwner</span> attribute values
within the same entry.</p>
<p>The system attributes <span class="bold">aclSource</span> and <span class="bold">ownerSource</span> contain the DN of the effective node
from which the <span class="bold">aclEntry</span> or <span class="bold">entryOwner</span> are evaluated, respectively.  If no such node exists, the
value <span class="bold">default</span> is assigned.</p>
<p>An object's effective access control definitions can be derived by the
following logic: </p>
<ul>
<li>If there is a set of explicit access control attributes at the object,
then that is the object's access control definition.</li>
<li>If there is no explicitly defined access control attributes, then traverse
the directory tree upwards until an ancestor node is reached with a set of
propagating access control attributes.</li>
<li>If no such ancestor node is found, the default access described below
is granted to the subject.</li></ul>
<p>The directory administrator is the entry owner. The pseudo group cn=anybody
(all users) is granted read, search, and compare access to attributes in the <tt class="xph">normal</tt> access class.</p>
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<?xml version="1.0" encoding="utf-8"?>`
			`<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"`
			`"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">`
			`<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">`
			`<head>`
			`<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />`
			`<meta name="dc.language" scheme="rfc1766" content="en-us" />`
			`<!-- All rights reserved. Licensed Materials Property of IBM -->`
			`<!-- US Government Users Restricted Rights -->`
			`<!-- Use, duplication or disclosure restricted by -->`
			`<!-- GSA ADP Schedule Contract with IBM Corp. -->`
			`<meta name="dc.date" scheme="iso8601" content="2005-09-06" />`
			`<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />`
			`<meta name="security" content="public" />`
			`<meta name="Robots" content="index,follow"/>`
			`<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />`
			`<title>Directory Server (LDAP) - Propagation</title>`
			`<link rel="stylesheet" type="text/css" href="ibmidwb.css" />`
			`<link rel="stylesheet" type="text/css" href="ic.css" />`
			`</head>`
			`<body>`
			`<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->`
			`<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>`


			`<a name="rzahypropagation"></a>`
			`<h4 id="rzahypropagation">Propagation</h4>`
			`<p>Entries on which an aclEntry has been placed are considered to have an`
			`explicit <span class="bold">aclEntry</span>. Similarly, if the <span class="bold">entryOwner</span> has been set on a particular entry, that entry has an explicit`
			`owner. The two are not intertwined, an entry with an explicit owner may or`
			`may not have an explicit <span class="bold">aclEntry</span>, and an`
			`entry with an explicit <span class="bold">aclEntry</span> might have`
			`an explicit owner. If either of these values is not explicitly present on`
			`an entry, the missing value is inherited from an ancestor node in the directory`
			`tree.</p>`
			`<p>Each explicit <span class="bold">aclEntry</span> or <span class="bold">entryOwner</span> applies to the entry on which it is set. Additionally, the`
			`value might apply to all descendants that do not have an explicitly set value.`
			`These values are considered propagated; their values propagate through the`
			`directory tree. Propagation of a particular value continues until another`
			`propagating value is reached.</p>`
			`<a name="wq65"></a>`
			`<div class="notetitle" id="wq65">Note:</div>`
			`<div class="notebody">Filter-based ACLs do not propagate in the same way that non-filter-based`
			`ACLs do. They propagate to any comparison matched objects in the associated`
			`subtree. See <a href="rzahyfilteracls.htm#rzahyfilteracls">Filtered ACLs</a> for more information about the`
			`differences.</div>`
			`<p><span class="bold">AclEntry</span> and <span class="bold">entryOwner</span> can be set to apply to just a particular entry with the propagation`
			`value set to "false", or an entry and its subtree with the propagation value`
			`set to "true". Although both <span class="bold">aclEntry</span> and <span class="bold">entryOwner</span> can propagate, their propagation is`
			`not linked in anyway.</p>`
			`<p>The <span class="bold">aclEntry</span> and <span class="bold">entryOwner</span> attributes allow multi-values, however, the propagation attributes`
			`(<span class="bold">aclPropagate</span> and <span class="bold">ownerPropagate</span>) can only have a single value for all <span class="bold">aclEntry</span> or <span class="bold">entryOwner</span> attribute values`
			`within the same entry.</p>`
			`<p>The system attributes <span class="bold">aclSource</span> and <span class="bold">ownerSource</span> contain the DN of the effective node`
			`from which the <span class="bold">aclEntry</span> or <span class="bold">entryOwner</span> are evaluated, respectively. If no such node exists, the`
			`value <span class="bold">default</span> is assigned.</p>`
			`<p>An object's effective access control definitions can be derived by the`
			`following logic: </p>`
			`<ul>`
			`<li>If there is a set of explicit access control attributes at the object,`
			`then that is the object's access control definition.</li>`
			`<li>If there is no explicitly defined access control attributes, then traverse`
			`the directory tree upwards until an ancestor node is reached with a set of`
			`propagating access control attributes.</li>`
			`<li>If no such ancestor node is found, the default access described below`
			`is granted to the subject.</li></ul>`
			`<p>The directory administrator is the entry owner. The pseudo group cn=anybody`
			`(all users) is granted read, search, and compare access to attributes in the <tt class="xph">normal</tt> access class.</p>`
			`<a id="Bot_Of_Page" name="Bot_Of_Page"></a>`
			`</body>`
			`</html>`