In many cases, you probably would not want to restrict access to data on your LDAP directory server. For example, an LDAP server on your company Intranet might contain a telephone directory of company employees. You would probably want all employees to be able to view the data in this directory. Imagine, however, that the president of your company does not want all employees to be able to access her telephone number. In that case, you could create an access control list (ACL). With this ACL, you could restrict access to her server entry to only those employees the president wanted to receive calls from.
With ACLs, you can control who has the authority to add and delete directory objects. You can also specify whether or not users have the ability to read, write, search, and compare directory attributes. ACLs can be either inherited or explicit. That is, you can use ACLs in one of the following ways:
Perhaps the president in the example above did not want all employees to be able to access her telephone number. She did, however, want all managers to be able to access it. In such a case, you could make use of an ACL Group to simplify granting authority to the managers. ACL groups allow you to grant access to specific groups of users rather than granting authority on an individual basis. This is particularly useful if the same group of people needs access to more than one set of objects. If the same managers that had access to the president's telephone number, for example, later needed access to salary entries, you could reuse the ACL group.
Each LDAP attribute type has a classification of "Normal", "Sensitive", or "Critical". The attribute schema files control these classifications. When you add a user to an object's ACL, you specify which classifications the user can read, write, search, and compare. In most schema, the telephone number would be classified as a "Normal" attribute. Therefore, to give the managers in the above example access to the president's telephone number, you would give them read access to the "Normal" attributes in the president's directory object. They would still not be able to access "Sensitive" and "Critical" information.
Special ACL values
Initially, all objects in the AS/400 Directory Services directory server have an ACL that contains a special ACL group, CN=Anybody, that includes all directory users. This group has read, search, and compare access to objects.
You may want some objects to have the same access permissions for all users who bind to the directory server with a connection that is not anonymous. To do this, use the special access control list (ACL) group cn=Authenticated.
To specify what access permissions an object has for itself, you can use the special DN cn=this. This enables child entries who inherit their ACLs to be automatically authorized to perform operations on their own objects.
Additional information
To administer ACLs through Operations Navigator, you do not need to know the details of how AS/400 Directory Services implements ACLs. However, if you want to specify ACL related attributes when using LDIF files or want to use ACLs with the LDAP command line utilities, you will need to familiarize yourself with the attributes that ACLs use.
For information on setting up and changing ACLs and ACL groups, follow these links:
| [ Information Center Home Page | Feedback ] | [ Legal | AS/400 Glossary ] |