This command grants all access rights (permissions) at the super user access level, to specified users. The scope is a user's own entry, or own subtree, or the whole directory.
Access rights granted at this access level cannot be taken away by other access control rules.
Access control rules are effective only if you enable access controls.
This command has the following format:
set super-user [tag] = {
users [auth-level = simple | ssl-auth] [validity = [start hhmm end hhmm] [on day]]
};
(Optional) Defines a name for this rule.
Defines the users that this rule applies to, where users is one of the following:
Defines the user that this rule applies to.
Defines the role that this rule applies to.
Defines the access control group that this rule applies to. Use of access control groups is deprecated, so use of this option is also deprecated.
Defines the top of the subtree of users that this rule applies to.
Specifies that the users defined in scope have super user access to their own entries only.
Specifies that the users defined in scope have super user access to their own entries and any entries below their own entry.
(Optional) Specifies the level of authentication required. If you use this option, use one of the following:
Specifies that this rule only applies to users that bind using simple authentication (username and password).
Specifies that this rule only applies to users that bind using SSL authentication.
(Optional) Defines the period during which this rule is valid. Use any of the following:
Defines the start and end of the period during which this rule is valid.
Defines the day on which this rule is valid, where day is a string like 12345 or 67 (1 is Monday).
Example: Give Super User Privileges to One User
The following command defines a single user with super user privileges:
set super-user "dsa-manager" = { user = <c "AU"><o "Democorp"><commonName "DSA manager"> };
Example: Give Users Super User Rights to Their Own Entry Only
The following command gives all users in the domain of this DSA super user privileges on their own entry from 0800 hours to 1800 hours on Monday (day 1) to Friday (day 5):
set super-user "self" = { own-entry validity = ( start 0800 end 1800 on 12345 ) };
When you include this command in an access.dxc file that multiple DSAs source, all users in the domains of those DSAs will have super user privileges on their own entries.
The own-entry and own-subtree options are the only types of super user rule that do not grant the user access to all parts of the DSA.
Copyright © 2009 CA. All rights reserved. | Email CA about this topic |