HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
1. In the Directory tab, right-click the top entry in the subtree, and choose Set Access Permissions
from the pop-up menu.
The Access Control Manager window opens with a list of ACIs belonging to the entry.
2. In the Access Control Manager window, select the ACI to delete.
3. Click Remove.
The ACI is no longer listed in the Access Control Manager window.
6.6 Viewing ACIs
All the ACIs under a single suffix in the directory can be viewed from the command line by using
the following ldapsearch command. (The LDAP tools referenced in this guide are Mozilla LDAP,
installed with HP-UX Directory Server in the /opt/dirsrv/bin directory.)
ldapsearch -h host -p port
-b baseDN -D rootDN
-w rootPassword (aci=*) aci
See the HP-UX Directory Server configuration, command, and file reference for information on
using the ldapsearch utility.
From the Directory Server Console, all the ACIs that apply to a particular entry can be viewed
through the Access Control Manager.
1. Start the Directory Server Console. See “Starting the Directory Server Console” (page 20).
2. In the Directory tab, right-click the entry in the navigation tree, and select Set Access Permissions.
The Access Control Manager opens with a list of the ACIs belonging to the selected entry.
3. Check the Show Inherited ACIs checkbox to display all ACIs created on entries above the
selected entry that also apply.
6.7 Checking access rights on entries (get effective rights)
Finding the rights that a user has on attributes within a specific entry offers a convenient way for
administrators to find and control the access rights.
Use get effective rights to extend directory searches to display the access rights (such as read,
search, write and self-write, add, and delete) a user has to a specified entry.
In Directory Server, regular users can check their rights over entries that they can view and can
check other people's access to their personal entries. The Directory Manager can check rights that
one user has over another user.
The following are two common situations where checking the effective rights of an entry is useful:
• An administrator can use the get effective rights command to better organize access control
instructions for the directory. It is frequently necessary to restrict what one group of users can
view or edit versus another group. For instance, members of the QA Managers group may
have the right to search and read attributes like manager and salary, while onlyHR Group
members have the rights to modify or delete them. Checking the effective rights for a user or
group is one way to verify that the appropriate access controls are in place.
• A user can run the get effective rights command to see what attributes they can view or modify
on their personal entry. For instance, a user should have access to attributes such
ashomePostalAddress and cn but may only have read access to manager and salary
attributes.
There are three people involved in a get effective rights search. The first is the person running the
search command, the requestor. The rights are checked (with a variety of permutations) to see
what rights Person A has over Entry B. The person whose rights are being checked (Person A) is
the GER subject; their rights are the subject of the search. The entry or entries to which the person
has rights (Entry B) is the target of the search or the search base.
262 Managing Access Control