|
|
|
A public user is a user who is anonymous, so the set of "Public users" consists of all users who have not been authenticated.
This command grants specified access rights at the public user access level, to all users, over a specified scope.
Any access that is granted by this command applies to public users, and by extension to all users. That is, a user who is authenticated can do anything that a public user can do.
Access rights granted at this access level can be taken away by access control rules defined at the protected items access level.
Access control rules are effective only if you enable access controls. If access controls are not enabled, then public users have full permission over the whole directory.
This command has the following format:
set public-user [tag] = {
scope [attrs = attribute-list] [perms = permission-list] [validity = [start hhmm end hhmm] [on day]]
};
(Optional) Defines a name for this rule.
Defines the area of the DIT that this rule gives access to, where scope is one of the following:
Specifies the entry that this rule grants access to.
Specifies the subtree that this rule grants access to.
(Optional) Defines the attributes or attribute set to which this rule applies, where attribute-list is a comma-separated list of attribute names.
If attrs is not specified, then the access rule applies to the whole entry. add and remove permissions require that attrs is not specified.
(Optional) Specifies the permissions (access rights) that this rule grants to public users for the scope.
If perms is not specified, then read access permission is granted.
permission-list is a comma-separated list of one or more of the following:
Specifies that public users have all available permissions over the scope. This option implies all of the permissions listed below.
Specifies that public users can read the information defined in the scope.
Specifies that public users can add to the information defined in the scope. This also grants read permission.
Specifies that public users can delete entries defined in the scope. This also grants read permission.
Specifies that public users can change information defined in the scope. This also grants read permission.
Specifies that public users can rename the entries defined in the scope. This also grants read permission.
(Optional) Defines the period during which this rule is valid. Use any of the following:
Defines the start and end of the period during which this rule is valid.
Defines the day on which this rule is valid, where day is a string like 12345 or 67 (1 is Monday).
Example: Let Anonymous Users Read Attributes in a Subtree
In the following example, all users can view the name, telephone number, and X.400 mail addresses in the Phone List subtree:
set public-user "public-attr" = {
subtree = <c "AU"><o "Democorp"><ou "Phone List">
attrs = telephoneNumber, commonName, surname, mhsORAddresses
};
Example: Give Public-User Privileges to Members of a Role
In the following example, all users in the role cell-research have read privileges on the directory R&D subtree:
set public-user "cell-research" = {
role = <c "AU"><o "Democorp"><ou "roles"><cn "cell-research">
subtree = <c "AU"><o "Democorp"><ou "R&D">
};
| Copyright © 2009 CA. All rights reserved. | Email CA about this topic |