Access control item management

An access control item (ACI) is data that identifies the permissions that users have for a specific type of resource. The system administrator has access to all functions in the system and is not governed by access control items.

As system administrator, you create an access control item to specify a set of operations and permissions. Then, you can identify which groups use the access control item.

You can create, change, or delete an access control item. A group might be designated as the owner of the access control item. Members of the group can also do these operations. Members can set up access control items within any branch or subtree branch in which the owned access control item is specified.

A Global operation category is available when you create an access control item. Users that are assigned to this access control item are granted permission to call the custom operation.

Access control items can apply to:

• Entity types such as:
  • All account classes (erAccountItem). It controls access to any account.
  • A specific account class (for example, erPosixLinuxAccount). It controls access to specific accounts of this class.
  • A user (for example, erExpressPerson, which is all users). The access control item controls access to personal profiles.
• Operations that users might perform on entity types or global operations. Custom operations are included with IBM® Security Privileged Identity Manager.
• Permissions for operations on attributes of an entity type, such as an email address.
• A set of users. This set can include access privileges of a principal. A principal is a predefined relationship that can be granted privileges. For example, the role of a manager might require access to the contact information for immediate subordinates. You can assign an access control item that grants such access to all users with a manager relationship.

IBM Security Privileged Identity Manager provides default access control items that define permissions to the user and to members in other groups. For example, a default access control item for accounts grants permission to all users to search for and modify a password on their accounts.