HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
This example assumes that the ACI is added to the ou=subscribers,dc=example,dc=com
entry. It also assumes that every subscriber entry has an unlistedSubscriber attribute that is
set to yes or no. The target definition filters out the unlisted subscribers based on the value of this
attribute. For details on the filter definition, see “Setting a target using filtering” (page 282).
From the Console, set this permission by doing the following:
1. In the Directory tab, right-click the Subscribers entry under the example.com node in the
left navigation tree, and choose Set Access Permissions from the pop-up menu to display the
Access Control Manager.
2. Click New to display the Access Control Editor.
3. In the Users/Groups tab, in the ACI name field, type Anonymous World. Check that All
Users opens in the list of users granted access permission.
4. In the Rights tab, select the checkboxes for read and search rights. Make sure the other
checkboxes are clear.
5. In the Targets tab, click This Entry to display the ou=subscribers, dc=example,dc=com
suffix in the Target directory entry field.
6. In the Filter for subentries field, type the following filter:
(!(unlistedSubscriber=yes))
7. In the attribute table, select the checkboxes for the homePhone, homePostalAddress, and
mail attributes.
All other checkboxes should be clear; if it is easier, click the Check None button to clear the
checkboxes for all attributes in the table, then click the Name header to organize them
alphabetically, and select the appropriate ones.
8. Click OK.
The new ACI is added to the ones listed in the Access Control Manager window.
6.9.2 Granting write access to personal entries
Many directory administrators want to allow internal users to change some but not all the attributes
in their own entry. The directory administrators at example.com want to allow users to change
their own password, home telephone number, and home address, but nothing else. This is illustrated
in “ACI "Write example.com"” (page 274).
It is also example.com's policy to let their subscribers update their own personal information in
the example.com tree, provided that they establish an SSL connection to the directory. This is
illustrated in “ACI "Write Subscribers"” (page 275).
6.9.2.1 ACI "Write example.com"
NOTE:
By setting this permission, you are also granting users the right to delete attribute values.
Granting example.com employees the right to update their password, home telephone number,
and home address has the following statement in LDIF:
aci: (targetattr="userPassword || homePhone ||
homePostalAddress") (version 3.0; acl "Write example.com"; allow
(write) userdn= "ldap:///self" and dns="*.example.com";)
This example assumes that the ACI is added to the ou=example-people,dc=example,dc=com
entry.
From the Console, set this permission by doing the following:
274 Managing Access Control