The directory architect has created a plain-English access control policy. To embody the policy in access control rules you need a set of configuration commands.
set access-controls = true;
This denies all users any access. This provides a clear basis on which to apply layers of permissions.
clear access;
set super-user DSA-Administrators {
role=DSA-Administrators
};
set reg-user owners {
own-subtree subtree=<o ACME><ou staff> perms=modify
};
set admin-user pabx-operators {
role=pabx-operators subtree=<o ACME> attrs=telephoneNumber perms=modify
};
set public-user public-staff-info = { subtree = <o ACME><ou staff> attrs=commonName,eMailAddress,telephoneNumber };
set public-user public-info = { subtree = <o ACME><ou public> };
set protected-items passwords {
subtree=<o ACME> attrs = userPassword
};
set admin-user = {
own-entry subtree=<o ACME><ou staff> attrs = userPassword
};
Copyright © 2009 CA. All rights reserved. | Email CA about this topic |