Previous Topic: set persistent-search Command

Next Topic: set prune-oc-parents Command

set protected-items Command—Configure Protected Items Access Level Controls

The set protected-items command lets you protect specific subtrees, entries, or particular attributes in a subtree or entry. Use protected-items controls to protect some attributes in a part of the DIT.

This command denies (takes away) specified access rights that have been granted at the registered users and public users access level

Access rights denied at this access level can be granted by rules at the administrative users and super users access levels.

Access control rules are effective only if you enable access controls.

This command has the following format:

set protected-items [tag] = { 
[users]
[scope]
[attrs	= attribute-list]
[perms	= permission-list]
[validity	= [start hhmm end hhmm] [on day]]
};

Example: Protect a Subtree

The command in this example makes a subtree invisible:

set protected-items hide-finance-from-employees = {
 group	= "employees"
 subtree	= <c "AU"><o "Democorp"><ou "Finance">
};

Example: Protect an Entry

The command in this example could be used to hide some management information about a DSA definition stored within the directory:

set protected-items "hide-schema-from-employees" = {
 role	= "employees"
 entry = <c "AU"><o "Democorp"><ou "Schema">
};

The specified entry is invisible to members of the employees role (unless a higher precedence access control rule grants them some access).

Example: Protect Some Attributes

The command in this example protects the homePhone and userPassword attributes in any entries in the Democorp subtree that have these attributes.

These attributes are visible to any super users and administrative users that have the Democorp subtree in their scope, but the attributes are hidden from all other users:

set protected-items "hide-passwords-and-home-phone" = {
 subtree	= <c "AU"><o "Democorp">
 attrs	= homePhone, userPassword
};

Example: Let Users View a Whole Entry and Modify Some Attributes

This example shows how to give users update access to most attributes within an entry but prevent the update of a small number of attributes.

This problem is made more complex because the list of attributes that can be updated can grow, for example, as more attributes are added to the entry.

A solution to this problem is to use the optional permissions in the access control rules. The following access rule will let all users in the subtree modify all attributes in their own entry:

set reg-user = {
 own-entry
 subtree	= <o test>
 perms	= modify
};

To prevent update access to some of these attributes, use the following command:

set protected-items = {
 own-entry
 subtree	= <o test>
 attrs	= attr1, attr2, ...
 perms	= modify
};

This prevents the user modifying the attributes listed, but it does not prevent read access. This is because the only permission denied is modify.

Example: Let Users Modify All Attributes in Their Own Entry Except "role"

In this example, the set reg-user rule gives users modification rights to all attributes in their own entry, and the protected-items rule takes away modification rights for just the role attribute. The result is that users can modify all attributes in their own entries except "role", which they can read:

set reg-user = {
 own-entry
 subtree	= <o Democorp>
 perms	= modify
};
set protected-items = {
 own-entry
 subtree	= <o DemoCorp>
 attrs	= role
 perms	= modify
};

Without the perms = modify in the set protected-items rule, the user would be denied all access to the role attribute (including read access).

More information:

Groups and Roles


Copyright © 2009 CA. All rights reserved. Email CA about this topic