Set Up the Example Access Control Policy

Administration Guide › Set Up Access Controls › Example Access Control Policy › Set Up the Example Access Control Policy

Set Up the Example Access Control Policy

The directory architect has created a plain-English access control policy. To embody the policy in access control rules you need a set of configuration commands.

To set up the Example Access Control Policy

Enable access controls:
```
set access-controls = true;
```
This denies all users any access. This provides a clear basis on which to apply layers of permissions.
Delete any existing access control policies:
```
clear access;
```
Give DSA administrators all privileges (assuming a role called DSA-administrators has been defined):
```
set super-user DSA-Administrators {
```
```
role=DSA-Administrators
```
```
};
```

Let authenticated users update their own entries:

set reg-user owners {

own-subtree
subtree=<o ACME><ou staff>
perms=modify

};

Let PABX operators update all telephone numbers (assuming a role called pabx-operators has been defined):

set admin-user pabx-operators {

role=pabx-operators
subtree=<o ACME>
attrs=telephoneNumber
perms=modify

};

Let public users view (but not change) the name, e-mail address, and telephone number of staff:

set public-user public-staff-info = {
	subtree = <o ACME><ou staff>
	attrs=commonName,eMailAddress,telephoneNumber
};

Let public users view (but not change) anything in the public subtree:
```
set public-user public-info = {
	subtree = <o ACME><ou public>
};
```
Make passwords invisible to everyone except DSA administrators (this requires that only DSA administrators have the necessary access controls)
```
set protected-items passwords {
```
```
subtree=<o ACME>
attrs = userPassword
```
```
};
```

Make users administrators of their own passwords so they have update rights:

set admin-user = {

own-entry
subtree=<o ACME><ou staff>
attrs = userPassword

};

Email CA Technologies about this topic