The Access Control Rules form contains buttons, areas, and
fields that allow you to target an entry and set the corresponding permissions
and bind rules. After you set the target, permissions, and bind rules using
the Access Control Rules form and its associated areas, you must save the
new ACI.
Access Control Rules Form Buttons
The Access Control Rules form contains the following buttons:
-
New Line -- Provides an additional option line. For more information on
the options area, see "Using the Options Area" below.
-
Submit - Causes changes made to the ACI to be saved to the directory. For
more information on saving changes to the directory, see "Applying Changes
Made to the Access Control Rules Form" below.
-
Revert -- Causes the Access Control Rules form to revert back to its original
state when you first displayed it. This essentially provides you an undo
for any changes you have made to the ACI since the last time you submitted
changes to the directory.
-
Help -- Displays help on how to use the Access Control Rules form.
-
Show LDIF -- Provides a read-only display of the ACI in LDIF format.
-
Browse -- Allows you to browse the directory tree to select an entry to
target. When browsing, you can press the Control or Shift
keys while left-clicking your mouse to select multiple DNs.
Access Control Rules Form Areas
The Access Control Rules form consists of the following areas:
-
The top part of the screen is the options area. The options area provides
links to forms that allow you to set actual access control. There is always
at least one line representing an access control; however multiple lines
are allowed. This area of the Access Control Rules form is described in
"Using the Options Area."
-
The bottom part of the form is the rules area. The rules area allows you
to do three things.
-
Set a name for the ACI instruction you are creating. The name is optional;
if you do not specify a name, "untitled" is used.
-
Set the target for the ACI. The target is required.
-
Supply the bind DN and password to be used to log in to the directory and
make the ACI changes. If the directory entry that you are writing to currently
has no write permissions set for it, then you must use the root DN (unrestricted
user) to set this permission.
Using the Options Area
The options area is the top portion of the Access Control Rules
form. The links in this area allow you to define the permissions and bind
rules set by your ACI.
Each line in this area represents a unique permission/bind rule pair
for the ACI. You can add a new line by clicking on the New Line
button in the Access Control Rules form. You can delete a line by clicking
on the trash can next to the line. If all the lines are deleted, then the
ACI is deleted when the Access Control Rules form is submitted.
The options area has the following links:
-
Action -- Defines whether the ACI allows or denies the permission.
-
Users/Groups -- Defines the users and groups to which the ACI applies and
the authentication methods that must be used when binding.
-
From Host -- Defines the hosts or IP addresses to which the ACI applies.
-
Rights -- Defines the type of rights (read, write, add, delete, search,
selfwrite, and/or compare) that the ACI allows or denies.
-
Extra.... -- Allows you to view and edit the ACI bind rules.
-
Trash can -- Deletes the permission line. The line is deleted immediately.
With the exception of the trash can, when you click one of these links,
an additional area is displayed at the bottom of the Access Control Rules
form that is related to the link that you selected. The following sections
describe these areas.
The Action Area--The Action area allows you to define whether
the ACI is an allow or deny permission. An allow permission allows the
access described by the ACI. A deny permission explicitly denies the access.
For more information on selecting an action, see "Allowing
or Denying Access." For a description of each field in the Action Area,
see "Access
Control Field Summary."
Select either Allow or Deny, and then click Update.
To save your changes, you must click Submit in the main part of
the Access Control Rules form.
The Users/Groups Area--The Users/Groups area allows you to specify
the user(s), group(s), or User DN attribute and the client authentication
methods to which the permission applies. This dialog contributes to the
bind rule portion of the ACI. If an ACI's bind rule is evaluated to be
true, then the permission applies to the client directory request. For
example, if a person binds to the directory using a User DN identified
in this area, then the permission is either allowed or denied for them.
Similarly, if a client binds to the directory using an authentication method
selected in this area, then the permission is either allowed or denied
for them.
For information on user and group definition options, see "User
and Group Access."
For information on specifying authentication methods, see "Access
Based on Authentication Method."
For a description of each field in the Users/Groups Area, see "Access
Control Field Summary."
Once you have made your changes to this area, click Update. To
save your changes in the directory, you must click Submit in the
main part of the Access Control Rules form.
The From Host Area--The From Hosts area allows you to specify
the hosts to which the permission applies. This dialog contributes to the
bind rule portion of the ACI. If an ACI's bind rule is evaluated to be
true, then the permission applies to the client directory request. For
example, if a person binds to the directory from a host identified in this
area, then the permission is either allowed or denied for them.
For information on specifying hosts and IP addresses, see "Access
from a Specific Machine or Domain." For a description of each field
in the From Host Area, see "Access
Control Field Summary
."
Once you have made your changes to this area, click Update. To
save your changes, you must click Submit in the main part of the
Access Control Rules form.
The Rights Area--The Rights area allows you to specify the permission(s)
that you are either allowing or denying.
For information on access rights, see "Assigning
Rights." For a description of each field in the Rights Area, see "Access
Control Field Summary."
Once you have made your changes to this area, click Update. To
save your changes, you must click Submit in the main part of the
Access Control Rules form.
The Extra Area--The Directory Server access control mechanism
is extremely flexible. As a result, not every type of possible bind rule
can be easily expressed using a graphical user interface. To compensate
for this, the Extra area (or Customized Expressions) is provided to allow
you to specify customized bind rules that cannot otherwise be expressed
using the ACI GUI. Essentially, this area of the GUI allows you to provide
the LDIF statement for the ACI's bind rule.
Some of the things that you can express using LDIF but that you cannot
set using the ACI GUI are:
Once you have made your changes to this area, click Update. To save
your changes, you must click Submit in the main part of the Access
Control Rules form.
For information on using LDIF to express bind rules, see "Setting
Bind Rules Using LDIF."
The Trash Can--Use the trash can to delete the permission line.
The line is deleted immediately. If all the permission lines for a given
ACI have been deleted, then the ACI is deleted from the directory when
the changes are submitted using the Submit button.
If you accidentally delete a line, you can get it back by using the
Revert
button. However, be aware that all of the changes you made to the form
since you originally displayed the ACI will also be lost.
Applying Changes Made to the Access Control Rules Form
After you have made your changes to the Access Control Rules form,
do the following:
-
Make sure that a valid DN is entered in the Target field.
-
Make sure a valid bind DN is entered to the Bind DN field.
-
Enter the appropriate password for the bind DN.
-
Click the Submit button. This button causes the Server Manager to
bind to the directory using the supplied bind DN and password. If you have
provided valid bind credentials, and you have write permissions for the
specified target's ACI attribute, then the Server Manager will modify the
directory as indicated by the entries on the Access Control Rules form.
When the operation is completed, the server will display a message indicating
that the operation was successful.