[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL Clarification



Ok,

I think I it mostly figured out for my particular case. I would appreciate any comments (and improvements) on the following set of ACLs which limit access to a staff object in my directory. I am very interested if there is a best practice way on how to provide different levels of access to different attributes of an object. Once I get this down, I will add something the FAQ. Thanks in advance for your help.

# Basic setup ACL's
# Allow everyone to access base dn to set up a connection
access to dn.base=""
  by * read

# Allow everyone to access all entries
access to attrs=entry
  by self write
  by * read

# password only can be changed by self and admins
access to attrs=userPassword
  by anonymous auth
  by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
  by self write
  by * none

# Staff tree ACLs
# everyone can read these attributes, admins can write
access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org" attrs=cn,givenName,sn,mail,displayName
by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
by * read


# everyone can read these attributes, admins and self can write
access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org" attrs=nsdPrefLastName,nsdPrefFirstName
by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
by self write
by * read


# all authenticated people can read, admins can write
access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org" attrs=nsdMobilePhone,nsdAltPhone,nsdGeneralPhone,nsdPhoto
by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
by users read
by * search


# all authenticated people can read, admins & self can write
access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org" attrs=nsdPersonalEmail,nsdPersonalPhone,nsdPersonalMobilePhone
by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
by self write
by users read
by * search


# self can read these attributes, admins can write
access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org" attrs=nsdEmployeeNumber,nsdBargainUnit,nsdPCN
by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
by self read
by * search


# for everything else, only admins can read & write
access to *
  by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
  by * search

cheers,

ski

--
"When we try to pick out anything by itself, we find it
 connected to the entire universe"            John Muir

Chris "Ski" Kacoroski, ski@nsd.org, 206-501-9803