HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

271

272

273

274

275

276

277

278

279

280

1. In the Directory tab, right-click the example-people entry under the example.com node

in the left navigation tree, and choose Set Access Permissions from the pop-up menu to display

the Access Control Manager.

2. Click New to display the Access Control Editor.

3. In the Users/Groups tab, in the ACI name field, type HR. In the list of users granted access

permission:

a. Select and remove All Users, then click Add.

The Add Users and Groups dialog box opens.

b. Set the Search area to Users and Groups, and type HRgroup in the Search for field.

This example assumes that you have created an HR group or role. For more information

on groups and roles, see “Organizing Entries with roles, Class of service, and Views”

(page 166).

c. Click the Add button to list the HR group in the list of users who are granted access

permission.

d. Click OK to dismiss the Add Users and Groups dialog box.

4. In the Rights tab, click the Check All button.

All checkboxes are selected, except for proxy rights.

5. Click OK.

The new ACI is added to the ones listed in the Access Control Manager window.

6.9.5 Granting rights to add and delete group entries

Some organizations want to allow employees to create entries in the tree if it can increase their

efficiency or if it can contribute to the corporate dynamics.

At example.com, there is an active social committee that is organized into various clubs, such

as tennis, swimming, and skiing. Any example.com employee can create a group entry

representing a new club. This is illustrated in “ACI "Create Group"” (page 278). Any example.com

employee can become a member of one of these groups. This is illustrated in “ACI "Group

Members"” (page 283) under “Allowing users to add or remove themselves from a group” (page

283). Only the group owner can modify or delete a group entry. This is illustrated in “ACI "Delete

Group"” (page 279).

6.9.5.1 ACI "Create Group"

In LDIF, to grant example.com employees the right to create a group entry under the ou=Social

Committee branch, write the following statement:

aci: (target="ldap:///ou=social committee,dc=example,dc=com)

(targattrfilters="add=objectClass:(objectClass=groupOfNames)")

(version 3.0; acl "Create Group"; allow (add)

(userdn= "ldap:///uid=*,ou=example-people,dc=example,dc=com")

and dns="*.example.com";)

NOTE:

This ACI does not grant write permission, which means that the entry creator cannot modify the

entry.

This example assumes that the ACI is added to the ou=social committee,

dc=example,dc=com entry.

From the Console, set this permission by doing the following:

278 Managing Access Control