This command grants specified access rights at the administrative user access level, to specified users, over a specified scope.
Access rights granted at this access level cannot be taken away by other access control rules.
Administrative user access controls rules are effective only when you enable access controls.
This command has the following format:
set admin-user [tag] = {
users scope [attrs = attribute-list] [perms = permission-list] [auth-level = simple | ssl-auth] [validity = [start hhmm end hhmm] [on day]]
};
(Optional) Defines a name for this rule.
Defines the users that this rule applies to, where users is one of the following:
Defines the user that this rule applies to.
Defines the role that this rule applies to.
Defines the access control group that this rule applies to. Use of access control groups is deprecated, so use of this option is also deprecated.
Defines the top of the subtree of users that this rule applies to.
Specifies that the users defined in scope have access to their own entries only.
Specifies that the users defined in scope have access to their own entries and any entries below their own entry.
Defines the area of the DIT that this rule gives access to, where scope is one of the following:
Specifies the entry that this rule grants or denies access to.
Specifies the subtree that this rule grants or denies access to.
(Optional) Defines the attributes or attribute set to which this rule applies, where attribute-list is a comma-separated list of attribute names.
If attrs is not specified, then the access rule applies to the whole entry. add and remove permissions require that attrs is not specified.
(Optional) Specifies the permissions that this rule grants to the users for the scope.
If perms is not specified, then all permissions are granted.
permission-list is a comma-separated list of one or more of the following:
Specifies that users have all available permissions over the scope. This option implies all of the permissions listed below.
Specifies that users can read the information defined in the scope.
Specifies that users can add to the information defined in the scope.
Specifies that users can delete entries defined in the scope.
Specifies that users can change information defined in the scope.
Specifies that users can rename the entries defined in the scope.
(Optional) Specifies the level of authentication required. If you use this option, use one of the following:
Specifies that this rule only applies to users that bind using simple authentication (username and password).
Specifies that this rule only applies to users that bind using SSL authentication.
(Optional) Defines the period during which this rule is valid. Use any of the following:
Defines the start and end of the period during which this rule is valid.
Defines the day on which this rule is valid, where day is a string like 12345 or 67 (1 is Monday).
Example: Give Administrative Access to All Users in a Subtree
The following command gives all users in the Finance subtree access to the Corporate subtree:
set admin-user "Finance-Users" = { user-subtree = <c "AU"><o "Democorp"><ou "Corporate"><ou "Finance"> subtree = <c "AU"><o "Democorp"><ou "Corporate">
};
Example: Give Administrative Privileges to a Role
The command in this example gives users in the role project-leader-group read and update privileges to the Technology SIG entry if they bind to the DSA using SSL authentication:
set admin-user "project-leaders" = { role = <c "AU"><o "Democorp"><ou "roles"><cn "project-leader-group"> entry = <c "AU"><o "Democorp"><ou "R&D"><listName "Technology SIG"> auth-level = ssl-auth
};
Example: Let Users Update a Single Attribute
The command in this example lets all users in the group pabx-mgmt-group update the attribute workPhone in the R&D subtree:
set admin-user "work-phone" = { group = "pabx-mgmt-group" subtree = <c "AU"><o "Democorp"><ou "R&D"> attrs = workPhone };
Example: Let Users Update Some Attributes in Their Own Entry
The command in this example gives all users in the R&D subtree permission to update the values of the attributes workPhone and description in their own entry only:
set admin-user "my-own-work-details" = { own-entry subtree = <c "AU"><o "Democorp"><ou "R&D"> attrs = workPhone, description };
Copyright © 2009 CA. All rights reserved. | Email CA about this topic |