HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
The permission and bind rule portions of the ACI are set as a pair, also called an access control
rule (ACR). The specified permission is granted or denied depending on whether the accompanying
rule is evaluated to be true.
6.1.2 ACI placement
If an entry containing an ACI does not have any child entries, the ACI applies to that entry only.
If the entry has child entries, the ACI applies to the entry itself and all entries below it. As a direct
consequence, when the server evaluates access permissions to any given entry, it verifies the ACIs
for every entry between the one requested and the directory suffix, as well as the ACIs on the entry
itself.
The aci attribute is multivalued, which means that you can define several ACIs for the same entry
or subtree.
An ACI created on an entry can be set so it does not apply directly to that entry but to some of or
all the entries in the subtree below it. The advantage of this is that general ACIs can be placed at
a high level in the directory tree that effectively apply to entries more likely to be located lower in
the tree. For example, an ACI that targets entries that include the inetorgperson object class
can be created at the level of an organizationalUnit entry or a locality entry.
Minimize the number of ACIs in the directory tree by placing general rules at high level branch
points. To limit the scope of more specific rules, place them as close as possible to leaf entries.
NOTE:
ACIs placed in the root DSE entry apply only to that entry.
6.1.3 ACI evaluation
To evaluate the access rights to a particular entry, the server compiles a list of the ACIs present on
the entry itself and on the parent entries back up to the top level entry stored on the Directory
Server. ACIs are evaluated across all the databases for a particular Directory Server but not across
all Directory Server instances.
The evaluation of this list of ACIs is done based on the semantics of the ACIs, not on their placement
in the directory tree. This means that ACIs that are close to the root of the directory tree do not
take precedence over ACIs that are closer to the leaves of the directory tree.
For Directory Server ACIs, the precedence rule is that ACIs that deny access take precedence over
ACIs that allow access. Between ACIs that allow access, union semantics apply, so there is no
precedence.
For example, if you deny write permission at the directory's root level, then none of the users can
write to the directory, regardless of the specific permissions you grant them. To grant a specific
user write permissions to the directory, you have to restrict the scope of the original denial for write
permission so that it does not include the user.
6.1.4 ACI limitations
When creating an access control policy for your directory service, you need to be aware of the
following restrictions:
• If your directory tree is distributed over several servers using the chaining feature, some
restrictions apply to the keywords you can use in access control statements:
◦ ACIs that depend on group entries (groupdn keyword) must be located on the same
server as the group entry. If the group is dynamic, then all members of the group must
6.1 Access control principles 233