Previous Topic: Example Access Control Policy

Next Topic: How Role-Based Access Controls Work

Set Up the Example Access Control Policy

The directory architect has created a plain-English access control policy. To embody the policy in access control rules you need a set of configuration commands.

  1. Enable access controls:
    set access-controls = true;
    

    This denies all users any access. This provides a clear basis on which to apply layers of permissions.

  2. Delete any existing access control policies:
    clear access;
    
  3. Give DSA administrators all privileges (assuming a role called DSA-administrators has been defined):
    set super-user DSA-Administrators {
    
    role=DSA-Administrators
    
    };
    
  4. Let authenticated users update their own entries:
    set reg-user owners {
    
    own-subtree
    subtree=<o ACME><ou staff>
    perms=modify
    
    };
    
  5. Let PABX operators update all telephone numbers (assuming a role called pabx-operators has been defined):
    set admin-user pabx-operators {
    
    role=pabx-operators
    subtree=<o ACME>
    attrs=telephoneNumber
    perms=modify
    
    };
    
  6. Let public users view (but not change) the name, e-mail address, and telephone number of staff:
    set public-user public-staff-info = {
    	subtree = <o ACME><ou staff>
    	attrs=commonName,eMailAddress,telephoneNumber
    };
    
  7. Let public users view (but not change) anything in the public subtree:
    set public-user public-info = {
    	subtree = <o ACME><ou public>
    };
    
  8. Make passwords invisible to everyone except DSA administrators (this requires that only DSA administrators have the necessary access controls)
    set protected-items passwords {
    
    subtree=<o ACME>
    attrs = userPassword
    
    };
    
    
  9. Make users administrators of their own passwords so they have update rights:
    set admin-user = {
    
    own-entry
    subtree=<o ACME><ou staff>
    attrs = userPassword
    
    };
    


Copyright © 2009 CA. All rights reserved. Email CA about this topic