HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

241

242

243

244

245

246

247

248

249

250

Rights are granted independently of one another. This means, for example, that a user who is

granted add rights can create an entry but cannot delete it if delete rights have not been specifically

granted. Therefore, when planning the access control policy for your directory, you must ensure

that you grant rights in a way that makes sense for users. For example, it does not usually make

sense to grant write permission without granting read and search permissions.

NOTE:

The proxy mechanism is very powerful and must be used sparingly. Proxy rights are granted within

the scope of the ACL, and there is no way to restrict who an entry that has the proxy right can

impersonate; that is, when you grant a user proxy rights, that user has the ability to proxy for any

user under the target; there is no way to restrict the proxy rights to only certain users. For example,

if an entity has proxy rights to the dc=example,dc=com tree, that entity can do anything. Make

sure you set the proxy ACI at the lowest possible level of the DIT; see “Proxied authorization ACI

example” (page 284).

6.3.3.3 Rights required for LDAP operations

This section describes the rights you need to grant to users depending on the type of LDAP operation

you want to authorize them to perform.

• Adding an entry:

Grant add permission on the entry being added.◦

◦ Grant write permission on the value of each attribute in the entry. This right is granted

by default but could be restricted using the targattrfilters keyword.

• Deleting an entry:

Grant delete permission on the entry to be deleted.◦

◦ Grant write permission on the value of each attribute in the entry. This right is granted

by default but could be restricted using the targattrfilters keyword.

• Modifying an attribute in an entry:

Grant write permission on the attribute type.◦

◦ Grant write permission on the value of each attribute type. This right is granted by default

but could be restricted using the targattrfilters keyword.

• Modifying the RDN of an entry:

Grant write permission on the entry.◦

◦ Grant write permission on the attribute type used in the new RDN.

◦ Grant write permission on the attribute type used in the old RDN, if you want to grant

the right to delete the old RDN.

◦ Grant write permission on the value of attribute type used in the new RDN. This right is

granted by default but could be restricted using the targattrfilters keyword.

• Comparing the value of an attribute:

◦ Grant compare permission on the attribute type.

• Searching for entries:

Grant search permission on each attribute type used in the search filter.◦

◦ Grant read permission on attribute types used in the entry.

6.3 Creating ACIs manually 241