This command grants specified access rights at the registered user access level, to specified users, over a specified scope.
Access rights granted at this access level can be taken away by access control rules defined at the protected items access level.
Access control rules are effective only if you enable access controls.
This command has the following format:
set reg-user [tag] = {
users scope [attrs = attribute-list] [auth-level = simple | ssl-auth] [perms = permission-list] [validity = [start hhmm end hhmm] [on day]]
};
(Optional) Defines a name for this rule.
Defines the users that this rule applies to, where users is one of the following:
Defines the user that this rule applies to.
Defines the role that this rule applies to.
Defines the access control group that this rule applies to. Use of access control groups is deprecated, so use of this option is also deprecated.
Defines the top of the subtree of users that this rule applies to.
Specifies that the users defined in scope have access to their own entries only.
Specifies that the users defined in scope have access to their own entries and any entries below their own entry.
Defines the area of the DIT that this rule gives access to, where scope is one of the following:
Specifies the entry that this rule grants access to.
Specifies the subtree that this rule grants access to.
(Optional) Defines the attributes or attribute set to which this rule applies, where attribute-list is a comma-separated list of attribute names.
If attrs is not specified, then the access rule applies to the whole entry. add and remove permissions require that attrs is not specified.
(Optional) Specifies the permissions (access rights) that this rule grants to the users for the scope.
If perms is not specified, then read access permission is granted.
permission-list is a comma-separated list of one or more of the following:
Grants users all permissions over the scope.
Grants users permission to read the information defined in the scope.
Grants users permission to add to the information defined in the scope. This also grants read permission.
Grants users permission to delete entries defined in the scope. This also grants read permission.
Grants users permission to change information defined in the scope. This also grants read permission.
Grants users permission to rename the entries defined in the scope. This also grants read permission.
(Optional) Specifies the level of authentication required. If you use this option, use one of the following:
Specifies that this rule only applies to users who bind using simple authentication (username and password).
Specifies that this rule only applies to users who bind using SSL authentication.
(Optional) Defines the period during which this rule is valid. Use any of the following:
Defines the start and end of the period during which this rule is valid.
Defines the day on which this rule is valid, where day is a string like 12345 or 67 (1 is Monday).
Example: Give Read Access to All Users in a Subtree
In the following example, all the users in the R&D subtree can read the Democorp subtree:
set reg-user "R&D-Users"= { user-subtree = <c "AU"><o "Democorp"><ou "R&D"> subtree = <c "AU"><o "Democorp"> };
Example: Give Read Access to an Entry
In the following example, all users in the group staff have read privileges on the Democorp entry:
set reg-user "democorp-staff" = { group = "staff" entry = <c "AU"><o "Democorp"> };
Example: Let All Users Read Some Attributes in Their Own Entry
The following example lets any user in the subtree AU/Democorp view only the selected attributes in their entry:
set reg-user = {
own-entry subtree = <c "AU"><o "Democorp"> attrs = telephoneNumber, commonName, surname, title, mhsORAddresses, odEmail
};
Example: Let All Users Read and Modify Some Attributes
In this example, all Democorp users can browse all entries in the subtree Democorp; however, when they read or search for an entry in the subtree, only those attributes that you declare are visible.
The users also have modify privileges on the listed attributes for all entries in the subtree:
set reg-user "self-view" = { user-subtree = <c AU><o Democorp> subtree = <c "AU"><o "Democorp"> attrs = telephoneNumber, commonName, surname, title, mhsORAddresses, dcEmail perms = modify };
Copyright © 2009 CA. All rights reserved. | Email CA about this topic |