Target Skill:

Ability to modify an existing ACI.


 
 
 
 
 
 
 
 
 
 
More Info:

See...

Access Control Forms

 
You can define permissions for the directory using the Access Control forms. To access the Access Control forms:
  1. Make sure the Directory Server is running.
  2. From the directory Server Manager, go to the Access Control | Access Control Overview form.
  3. Bind to the directory. You must enter the username and password of a privileged directory user, such as the directory manager, who has access to all ACI instructions that have been set for the directory.

  4.  
After a pause while the ACL information is loaded, the Access Control Overview form is displayed. 

 This form displays the following information for each ACI: 
 
Resource 

 

Identifies the ACI's target. The resource, or target, is a directory entry to which the ACI applies, or one or more attributes to which the ACI applies, or both. 

 

ACI Name 

 

Descriptive name that you can give to each ACI to help you identify them. If you do not supply an ACI name, then Untitled is used by default. 

 

To change or delete an existing ACI, click on the ACI's resource information or on its name. To create a new ACI, click on New ACI. Either way, a new browser window is opened to display the Access Control Rules form. 

Using the Access Control Rules Form

The Access Control Rules form contains buttons, areas, and fields that allow you to target an entry and set the corresponding permissions and bind rules. After you set the target, permissions, and bind rules using the Access Control Rules form and its associated areas, you must save the new ACI.

 Access Control Rules Form Buttons

 The Access Control Rules form contains the following buttons:
 
 

  • New Line -- Provides an additional option line. For more information on the options area, see "Using the Options Area" below.
  • Submit - Causes changes made to the ACI to be saved to the directory. For more information on saving changes to the directory, see "Applying Changes Made to the Access Control Rules Form" below.
  • Revert -- Causes the Access Control Rules form to revert back to its original state when you first displayed it. This essentially provides you an undo for any changes you have made to the ACI since the last time you submitted changes to the directory.
  • Help -- Displays help on how to use the Access Control Rules form.
  • Show LDIF -- Provides a read-only display of the ACI in LDIF format.
  • Browse -- Allows you to browse the directory tree to select an entry to target. When browsing, you can press the Control or Shift keys while left-clicking your mouse to select multiple DNs.

  •  

     
     
     
     
     
     
     

Access Control Rules Form Areas

 The Access Control Rules form consists of the following areas:
 
 

  • The top part of the screen is the options area. The options area provides links to forms that allow you to set actual access control. There is always at least one line representing an access control; however multiple lines are allowed. This area of the Access Control Rules form is described in "Using the Options Area."
  • The bottom part of the form is the rules area. The rules area allows you to do three things.
    • Set a name for the ACI instruction you are creating. The name is optional; if you do not specify a name, "untitled" is used.
    • Set the target for the ACI. The target is required. 
    • Supply the bind DN and password to be used to log in to the directory and make the ACI changes. If the directory entry that you are writing to currently has no write permissions set for it, then you must use the root DN (unrestricted user) to set this permission.
Using the Options Area

 The options area is the top portion of the Access Control Rules form. The links in this area allow you to define the permissions and bind rules set by your ACI. 

Each line in this area represents a unique permission/bind rule pair for the ACI. You can add a new line by clicking on the New Line button in the Access Control Rules form. You can delete a line by clicking on the trash can next to the line. If all the lines are deleted, then the ACI is deleted when the Access Control Rules form is submitted. 

The options area has the following links:

  • Action -- Defines whether the ACI allows or denies the permission.
  • Users/Groups -- Defines the users and groups to which the ACI applies and the authentication methods that must be used when binding.
  • From Host -- Defines the hosts or IP addresses to which the ACI applies.
  • Rights -- Defines the type of rights (read, write, add, delete, search, selfwrite, and/or compare) that the ACI allows or denies.
  • Extra.... -- Allows you to view and edit the ACI bind rules.
  • Trash can -- Deletes the permission line. The line is deleted immediately.
With the exception of the trash can, when you click one of these links, an additional area is displayed at the bottom of the Access Control Rules form that is related to the link that you selected. The following sections describe these areas. 

The Action Area--The Action area allows you to define whether the ACI is an allow or deny permission. An allow permission allows the access described by the ACI. A deny permission explicitly denies the access. 

For more information on selecting an action, see "Allowing or Denying Access." For a description of each field in the Action Area, see "Access Control Field Summary." 

Select either Allow or Deny, and then click Update. To save your changes, you must click Submit in the main part of the Access Control Rules form. 

The Users/Groups Area--The Users/Groups area allows you to specify the user(s), group(s), or User DN attribute and the client authentication methods to which the permission applies. This dialog contributes to the bind rule portion of the ACI. If an ACI's bind rule is evaluated to be true, then the permission applies to the client directory request. For example, if a person binds to the directory using a User DN identified in this area, then the permission is either allowed or denied for them. Similarly, if a client binds to the directory using an authentication method selected in this area, then the permission is either allowed or denied for them. 

For information on user and group definition options, see "User and Group Access." 

For information on specifying authentication methods, see "Access Based on Authentication Method." 

For a description of each field in the Users/Groups Area, see "Access Control Field Summary." 

Once you have made your changes to this area, click Update. To save your changes in the directory, you must click Submit in the main part of the Access Control Rules form. 

The From Host Area--The From Hosts area allows you to specify the hosts to which the permission applies. This dialog contributes to the bind rule portion of the ACI. If an ACI's bind rule is evaluated to be true, then the permission applies to the client directory request. For example, if a person binds to the directory from a host identified in this area, then the permission is either allowed or denied for them. 

For information on specifying hosts and IP addresses, see "Access from a Specific Machine or Domain." For a description of each field in the From Host Area, see "Access Control Field Summary ." 

Once you have made your changes to this area, click Update. To save your changes, you must click Submit in the main part of the Access Control Rules form. 

The Rights Area--The Rights area allows you to specify the permission(s) that you are either allowing or denying. 

For information on access rights, see "Assigning Rights." For a description of each field in the Rights Area, see "Access Control Field Summary." 

Once you have made your changes to this area, click Update. To save your changes, you must click Submit in the main part of the Access Control Rules form. 

The Extra Area--The Directory Server access control mechanism is extremely flexible. As a result, not every type of possible bind rule can be easily expressed using a graphical user interface. To compensate for this, the Extra area (or Customized Expressions) is provided to allow you to specify customized bind rules that cannot otherwise be expressed using the ACI GUI. Essentially, this area of the GUI allows you to provide the LDIF statement for the ACI's bind rule. 

Some of the things that you can express using LDIF but that you cannot set using the ACI GUI are:

Once you have made your changes to this area, click Update. To save your changes, you must click Submit in the main part of the Access Control Rules form. 

For information on using LDIF to express bind rules, see "Setting Bind Rules Using LDIF." 

The Trash Can--Use the trash can to delete the permission line. The line is deleted immediately. If all the permission lines for a given ACI have been deleted, then the ACI is deleted from the directory when the changes are submitted using the Submit button. 

If you accidentally delete a line, you can get it back by using the Revert button. However, be aware that all of the changes you made to the form since you originally displayed the ACI will also be lost.

 Applying Changes Made to the Access Control Rules Form

 After you have made your changes to the Access Control Rules form, do the following:

  1. Make sure that a valid DN is entered in the Target field.
  2. Make sure a valid bind DN is entered to the Bind DN field.
  3. Enter the appropriate password for the bind DN.
  4. Click the Submit button. This button causes the Server Manager to bind to the directory using the supplied bind DN and password. If you have provided valid bind credentials, and you have write permissions for the specified target's ACI attribute, then the Server Manager will modify the directory as indicated by the entries on the Access Control Rules form. When the operation is completed, the server will display a message indicating that the operation was successful.

Produced By Netscape Learning.  Copyright © 1998 Netscape Communications, Inc.