friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahy_5.4.0.1/rzahypropagation.htm

72 lines
4.8 KiB
HTML
Raw Permalink Blame History

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Directory Server (LDAP) - Propagation</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
<a name="rzahypropagation"></a>
<h4 id="rzahypropagation">Propagation</h4>
<p>Entries on which an aclEntry has been placed are considered to have an
explicit <span class="bold">aclEntry</span>. Similarly, if the <span class="bold">entryOwner</span> has been set on a particular entry, that entry has an explicit
owner. The two are not intertwined, an entry with an explicit owner may or
may not have an explicit <span class="bold">aclEntry</span>, and an
entry with an explicit <span class="bold">aclEntry</span> might have
an explicit owner. If either of these values is not explicitly present on
an entry, the missing value is inherited from an ancestor node in the directory
tree.</p>
<p>Each explicit <span class="bold">aclEntry</span> or <span class="bold">entryOwner</span> applies to the entry on which it is set. Additionally, the
value might apply to all descendants that do not have an explicitly set value.
These values are considered propagated; their values propagate through the
directory tree. Propagation of a particular value continues until another
propagating value is reached.</p>
<a name="wq65"></a>
<div class="notetitle" id="wq65">Note:</div>
<div class="notebody">Filter-based ACLs do not propagate in the same way that non-filter-based
ACLs do. They propagate to any comparison matched objects in the associated
subtree. See <a href="rzahyfilteracls.htm#rzahyfilteracls">Filtered ACLs</a> for more information about the
differences.</div>
<p><span class="bold">AclEntry</span> and <span class="bold">entryOwner</span> can be set to apply to just a particular entry with the propagation
value set to "false", or an entry and its subtree with the propagation value
set to "true". Although both <span class="bold">aclEntry</span> and <span class="bold">entryOwner</span> can propagate, their propagation is
not linked in anyway.</p>
<p>The <span class="bold">aclEntry</span> and <span class="bold">entryOwner</span> attributes allow multi-values, however, the propagation attributes
(<span class="bold">aclPropagate</span> and <span class="bold">ownerPropagate</span>) can only have a single value for all <span class="bold">aclEntry</span> or <span class="bold">entryOwner</span> attribute values
within the same entry.</p>
<p>The system attributes <span class="bold">aclSource</span> and <span class="bold">ownerSource</span> contain the DN of the effective node
from which the <span class="bold">aclEntry</span> or <span class="bold">entryOwner</span> are evaluated, respectively. If no such node exists, the
value <span class="bold">default</span> is assigned.</p>
<p>An object's effective access control definitions can be derived by the
following logic: </p>
<ul>
<li>If there is a set of explicit access control attributes at the object,
then that is the object's access control definition.</li>
<li>If there is no explicitly defined access control attributes, then traverse
the directory tree upwards until an ancestor node is reached with a set of
propagating access control attributes.</li>
<li>If no such ancestor node is found, the default access described below
is granted to the subject.</li></ul>
<p>The directory administrator is the entry owner. The pseudo group cn=anybody
(all users) is granted read, search, and compare access to attributes in the <tt class="xph">normal</tt> access class.</p>
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink