HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

271

272

273

274

275

276

277

278

279

280

1. In the Directory tab, right-click the example-people entry under the example.com node

in the left navigation tree, and choose Set Access Permissions from the pop-up menu to display

the Access Control Manager.

2. Click New to display the Access Control Editor.

3. In the Users/Groups tab, in the ACI name field, type Roles. In the list of users granted access

permission:

a. Select and remove All Users, then click Add.

The Add Users and Groups dialog box opens.

b. Set the Search area in the Add Users and Groups dialog box to Special Rights, and

select Self from the search results list.

c. Click the Add button to list Self in the list of users who are granted access permission.

d. Click OK to dismiss the Add Users and Groups dialog box.

4. In the Rights tab, select the checkbox for write. Make sure the other checkboxes are clear.

5. In the Targets tab, click This Entry to use the ou=example-people,dc=example,dc=com

suffix in the Target directory entry field.

6. In the Hosts tab, click Add to display the Add Host Filter dialog box. In the DNS host filter

field, type *.example.com. Click OK to dismiss the dialog box.

7. To create the value-based filter for roles, switch to manual editing by clicking the Edit Manually

button. Add the following to the beginning of the LDIF statement:

(targattrfilters="add=nsroledn:(nsroledn != "cn=superAdmin, dc=example,dc=com")")

The LDIF statement should read as follows:

(targattrfilters="add=nsroledn:(nsroledn != "cn=superAdmin,

dc=example,dc=com")") (targetattr = "*") (target = "ldap:///

ou=example-people,dc=example,dc=com") (version 3.0; acl "Roles";

allow (write) (userdn = "ldap:///self") and (dns="*.example.com");)

8. Click OK.

The new ACI is added to the ones listed in the Access Control Manager window.

6.9.4 Granting a group full access to a suffix

Most directories have a group that is used to identify certain corporate functions. These groups

can be given full access to all or part of the directory. By applying the access rights to the group,

you can avoid setting the access rights for each member individually. Instead, you grant users

these access rights simply by adding them to the group.

For example, when the Directory Server is set up with a typical process, an administrators group

with full access to the directory is created by default.

At example.com, the Human Resources group is allowed full access to the

ou=example-people branch of the directory so that they can update the employee database.

This is illustrated in “ACI "HR"” (page 277).

6.9.4.1 ACI "HR"

In LDIF, to grant the HR group all rights on the employee branch of the directory, use the following

statement:

aci: (version 3.0; acl "HR"; allow (all) userdn=

"ldap:///cn=HRgroup,ou=example-people,dc=example,dc=com";)

This example assumes that the ACI is added to the ou=example-people,dc=example,dc=com

entry.

From the Console, set this permission by doing the following:

6.9 Access control usage examples 277