Subject overview

Edit online

A subject is the entity that requests access to operate on an object.

It consists of the combination of a DN or a Distinguished Name type and a DN. The valid DN types are access ID, Group, and Role.

The DN identifies a particular access-id, role, or group. For example, a subject can be access-id: cn=personA, o=sampleor group: cn=deptXYZ, o=sample.

Because the field delimiter is the colon (: ), a DN containing colons must be surrounded by double quotation marks (“”). If a DN already contains characters with double quotation marks, these characters must be escaped with a backslash (\).

All directory groups can be used in access control.

Note: Any group of AccessGroup, GroupOfNames, GroupofUniqueNames, or groupOfURLs structural object classes or the ibm-dynamicGroup, ibm-staticGroup auxiliary object classes can be used for access control.

Another DN type that is used within the access control model is role. While roles and groups are similar in implementation, conceptually they are different. When a user is assigned to a role, there is an implicit expectation that the necessary authority is set up to perform the job that is associated with that role. With group membership, there is no built-in assumption about what permissions are gained or denied by being a member of that group.

Roles are similar to groups in that they are represented in the directory by an object. Additionally, roles contain a group of DNs. Roles that are used in access control must have an object class of AccessRole.