aclEntry attribute
- Who has rights to the entry (scope of the protection). Also called the subject.
- What specific attributes and classes of attributes (attribute access classes) that the subject has access to.
- What rights the subject has (permissions to specific attributes and classes of attributes).
Syntax
Following is the aclEntry attribute value syntax:
aclEntry: aclEntry_value
- where,
- aclEntry_value :- [access-id:|group:|role:] subject_DN [granted_rights]
- or,
- aclEntry_value :- aclFilter:filter: operation [granted_rights]
- subject_DN :- valid DN, the object that privileges are granted to.
- filter :- valid search filter, using the following attributes only: ibm-filterSubject, ibm-filterIP, ibm-filterTimeOfDay, ibm-filterDayOfWeek, ibm-filterBindMechanism, and ibm-filterConnectionEncrypted. See ACL filters for more information.
- operation :- union | replace | intersect. See ACL filters for more information.
- granted_rights :- object_rights | normal_rights | sensitive_rights | critical_rights | restricted_rights | system_rights | attr_rights
- object_rights :- :object:[grant:|deny:] object_rights_list
- object_rights_list :- [a|d]
- normal_rights :- :normal:[grant:|deny:] attr_rights_list
- sensitive_rights :- :sensitive:[grant:|deny:] attr_rights_list
- critical_rights :- :critical:[grant:|deny:] attr_rights_list
- restricted_rights :- :restricted:[grant:|deny:] attr_rights_list
- system_rights :- :system:[grant:|deny:] attr_rights_list
- attr_rights :- :at.attr_name:[grant:|deny:] attr_rights_list
- attr_name:- any valid attribute name
- attr_rights_list :- [r|w|s|c]
The subject_DN is any valid DN that represents the object (entry) to which privileges are being granted. The DN ends when the first granted rights keyword is detected.
The granted_rights is specified as follows where object_rights_list is one or more elements of the set [a|d], and attr_rights_list is one or more elements of the set [r|w|s|c].
See ACL filters for more information about the filter and operation values.
group:cn=Anybody:normal:rs:system:rsc:normal:c:normal:deny:w
results this merged access listgroup:cn=Anybody:normal:rsc:normal:deny:w:system:rsc
Scope of protection
The scope of the protection is based on the following types of privilege attributes:
- access-id
- The distinguished name of an entry to set permissions for.
- group
- The distinguished name of the group entry to set permissions for.
- role
- The distinguished name of the group entry to set permissions for.
- aclFilter
- The aclEntry filter, that if evaluates to true, reduces, augments, or replaces the set of permissions. The server compatibility must be 6 or greater to use an aclFilter in an aclEntry attribute. See serverCompatLevel {3 | 4 | 5 | 6 | 7| 8} for more information about the server compatibility level.
Access control groups can be either static, dynamic, or nested groups. The following object classes are evaluated as group entries for the LDBM, TDBM, and CDBM backends: ibm-staticGroup, groupOfNames, groupOfUniqueNames, accessRole, accessGroup, ibm-dynamicGroup, groupOfUrls, and ibm-nestedGroup. See Static, dynamic, and nested groups for additional information about static, dynamic, and nested groups.
When specifying a user or group distinguished name in an aclEntry attribute value, the access-id, group, or role portions of the value are optional and are accepted for compatibility with older levels of the LDAP server. If replicating to non-z/OS IBM® TDS, one of these prefixes are required. The distinguished name that is used does not need to be the name of any entry in the directory. The distinguished name is the name that represents the user that has authenticated to the directory server or the group that the user is a member of.
pseudo-DNs. These are used to reference large numbers of subject DNs which, at bind time, share a common characteristic in relation to either the operation being performed or the target object on which the operation is being performed. Currently, three pseudo DNs are defined:
group:cn=anybody
group:cn=authenticated
access-id:cn=this
The group:cn=anybody
refers
to all subjects, including those that are unauthenticated (considered
anonymous users). All users belong to this group automatically.
The group:cn=authenticated
refers to any DN that
is authenticated to the directory. The method of authentication is
not considered when using distinguished names in the aclEntry attribute
value.The access-id:cn=this
refers to the bind DN that
matches the target object's DN on which the operation is performed.
If the server compatibility is 6 or greater, a search filter can be specified after the aclFilter component in an aclEntry attribute value. When the search filter evaluates to true, it reduces, augments, or replaces the set of permissions specified. See ACL filters for more information about the search filters that are allowed to be specified.
Examples:
In this example, the DN type is access-id
and
the DN itself is cn=personA, ou=deptXYZ, o=IBM, c=US
:
access-id:cn=personA, ou=deptXYZ, o=IBM, c=US
In this example, the DN type is group
and the
DN itself is cn=deptXYZRegs, o=IBM, c=US
:
group:cn=deptXYZRegs, o=IBM, c=US
This is an example of how to use a RACF® identity that is established with SDBM in an ACL:
access-id:racfid=YourID,profileType=user,sysplex=YourSysplex
group:racfid=YourGrp,profileType=group,sysplex=YourSysplex
Attribute access classes
Attributes requiring similar permission for access are grouped in classes. Attributes are assigned to an attribute access class within the schema definitions. The IBMAttributeTypes attribute in the LDAP server schema entry holds the attribute types access class. The three attribute access classes are:
- normal
- sensitive
- critical
Each of these attribute access classes is discrete. If a user has write permission to sensitive attributes, then the user does not automatically have write permission to normal attributes. This permission must be explicitly defined.
The default attribute access class for an attribute is normal. By default, all users have read access to normal attributes. There are two additional attribute access classes that are used internally by LDAP for system attributes. These attribute access classes are restricted and system. You can specify these access classes when granting permissions in ACLs.
For example, the name of a person is typically defined in the normal class. Perhaps a social security number is considered sensitive, and any password information for the user is considered critical. Following are some example definitions that are excerpted from the LDAP server schema. Note that the attribute userPassword is defined with access class critical.
attributetypes: (
2.5.4.49
NAME ( ’dn’ ’distinguishedName’ )
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
USAGE userApplications
)
ibmattributetypes: (
2.5.4.49
ACCESS-CLASS normal
)
attributetypes: (
2.5.4.35
NAME ’userPassword’
DESC ’Defines the user password’
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
USAGE userApplications
)
ibmattributetypes: (
2.5.4.35
ACCESS-CLASS critical
)
It is possible to specify access controls on individual attributes. However, when defining schema an access class is always defined for the attribute type. If not specified, that attribute type is defined to belong to the normal class.
Access permissions
Following is the set of access permissions.
Permission | |
---|---|
Add | Add an entry below this entry |
Delete | Delete this entry |
Permission | |
---|---|
Read | Read attribute values |
Write | Write attribute values |
Search | Search filter can contain attribute type |
Compare | Compare attribute values |
Following are some examples of valid aclEntry values:
access-id:cn=Tim, o=Your Company:normal:rwsc:sensitive:rsc:object:ad
role:cn=roleGroup, o=Your Company:object:ad:normal:rsc:sensitive:rsc
group:cn=group1, o=Your Company:system:csr:normal:sw
cn=Lisa, o=Your Company:normal:rwsc:sensitive:rwsc:critical:rwsc:restricted:rwsc:system:rwsc
cn=Ken, o=Your Company:normal:rsc
group:cn=group2,dc=yourcompany,dc=com:normal:rwsc:at.cn:deny:w:sensitive:grant:rsc
cn=Karen,dc=yourcompany,dc=com:at.cn:grant:rwsc:normal:deny:rwsc
cn=Mary,dc=yourcompany,dc=com:normal:rwsc:sensitive:rwsc:critical:deny:rwsc:at.userpassword:w
group:cn=anybody:normal:rsc
group:cn=authenticated:normal:rwsc:sensitive:rsc
access-id:cn=this:normal:rwsc:sensitive:rwsc:restricted:rwsc
aclFilter: (&(ibm-filterTimeOfDay>=09:00)(ibm-filterTimeOfDay<=17:00)(ibm-filterDayOfWeek>=1)
(ibm-filterDayOfWeek<=5)):union:normal:w
aclFilter: (|(ibm-filterSubject=cn=Ken, o=Your Company)(ibm-filterIP=129.176.132.*))
:replace:normal:rwsc:critical:rsc:sensitive:rwsc
See Access determination for information about how the aclEntry values are used to determine access.
The aclEntry attribute value is defined as a directory string.
When the aclFilter scope is not specified, a search using the aclEntry attribute matches against the distinguished name in the value. An aclEntry value in this format is normalized following the matching rules for a distinguished name. Two aclEntry attributes in this format are considered to be the same if they have the same distinguished name.
When the aclFilter scope is specified, a search using the aclEntry attribute matches against the scope, filter, and operation in the search filter. An aclEntry in this format is normalized by normalizing the scope, filter, and the operation. Two aclEntry attributes in this format are considered to be the same if they have the same filter and operation.