set reg-user Command—Configure Registered User Access Level Rights

Reference › DSA Commands (DXserver Commands) › Commands Reference › set reg-user Command—Configure Registered User Access Level Rights

set reg-user Command—Configure Registered User Access Level Rights

This command grants specified access rights at the registered user access level, to specified users, over a specified scope.

Access rights granted at this access level can be taken away by access control rules defined at the protected items access level.

Access control rules are effective only if you enable access controls.

This command has the following format:

set reg-user [tag] = {

users 
scope 
[attrs	= attribute-list]
[auth-level	= simple | ssl-auth]
[perms	= permission-list]
[validity	= [start hhmm end hhmm] [on day]]

};

tag

(Optional) Defines a name for this rule.

users

Defines the users that this rule applies to, where users is one of the following:

user = DN: Defines the user that this rule applies to.
role = DN: Defines the role that this rule applies to.
group = group-name: Defines the access control group that this rule applies to. Use of access control groups is deprecated, so use of this option is also deprecated.
user-subtree = DN: Defines the top of the subtree of users that this rule applies to.
own-entry: Specifies that the users defined in scope have access to their own entries only.
own-subtree: Specifies that the users defined in scope have access to their own entries and any entries below their own entry.

scope

Defines the area of the DIT that this rule gives access to, where scope is one of the following:

entry = DN: Specifies the entry that this rule grants access to.
subtree = DN: Specifies the subtree that this rule grants access to.

attrs = attribute-list

(Optional) Defines the attributes or attribute set to which this rule applies, where attribute-list is a comma-separated list of attribute names.

If attrs is not specified, then the access rule applies to the whole entry. add and remove permissions require that attrs is not specified.

perms = permission-list

(Optional) Specifies the permissions (access rights) that this rule grants to the users for the scope.

If perms is not specified, then read access permission is granted.

permission-list is a comma-separated list of one or more of the following:

all: Grants users all permissions over the scope.
read: Grants users permission to read the information defined in the scope.
add: Grants users permission to add to the information defined in the scope. This also grants read permission.
remove: Grants users permission to delete entries defined in the scope. This also grants read permission.
modify: Grants users permission to change information defined in the scope. This also grants read permission.
rename: Grants users permission to rename the entries defined in the scope. This also grants read permission.

auth-level = simple | ssl-auth

(Optional) Specifies the level of authentication required. If you use this option, use one of the following:

simple: Specifies that this rule only applies to users who bind using simple authentication (username and password).
ssl-auth: Specifies that this rule only applies to users who bind using SSL authentication.

validity = [start hhmm end hhmm] [on day]

(Optional) Defines the period during which this rule is valid. Use any of the following:

start hhmm end hhmm: Defines the start and end of the period during which this rule is valid.
on day: Defines the day on which this rule is valid, where day is a string like 12345 or 67 (1 is Monday).

Example: Give Read Access to All Users in a Subtree

In the following example, all the users in the R&D subtree can read the Democorp subtree:

set reg-user R&D-Users"= { 
 user-subtree = <c AU"><o Democorp"><ou R&D">
 subtree	 = <c AU"><o Democorp">
};

Example: Give Read Access to an Entry

In the following example, all users in the group staff have read privileges on the Democorp entry:

set reg-user democorp-staff" = {
 group = staff"
 entry = <c AU"><o Democorp">
};

Example: Let All Users Read Some Attributes in Their Own Entry

The following example lets any user in the subtree AU/Democorp view only the selected attributes in their entry:

set reg-user = {

own-entry
subtree = <c AU"><o Democorp">
attrs = telephoneNumber, commonName, surname, title, mhsORAddresses, odEmail

};

Example: Let All Users Read and Modify Some Attributes

In this example, all Democorp users can browse all entries in the subtree Democorp; however, when they read or search for an entry in the subtree, only those attributes that you declare are visible.

The users also have modify privileges on the listed attributes for all entries in the subtree:

set reg-user self-view" = {
 user-subtree = <c AU><o Democorp>
 subtree = <c AU"><o Democorp">
 attrs = telephoneNumber, commonName, surname, title, mhsORAddresses, dcEmail
 perms = modify
};

More information:

Groups and Roles

Email CA Technologies about this topic