[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Clarification



Ski Kacoroski wrote:
Ok,

I think I it mostly figured out for my particular case. I would appreciate any comments (and improvements) on the following set of ACLs which limit access to a staff object in my directory. I am very interested if there is a best practice way on how to provide different levels of access to different attributes of an object. Once I get this down, I will add something the FAQ. Thanks in advance for your help.

Not relevant to your ACLs, but something to put in the FAQ: every ACL is followed by an implicit "by * none", so any ACL later in the list which applies in the same scope as a previous ACL will not be effective. (So if you were to put your last ACL, below, first then it would be the only one that was effective unless you specified "by * break".)


# Basic setup ACL's
# Allow everyone to access base dn to set up a connection
access to dn.base=""
  by * read

# Allow everyone to access all entries
access to attrs=entry
  by self write
  by * read

# password only can be changed by self and admins
access to attrs=userPassword
  by anonymous auth
  by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
  by self write
  by * none

# Staff tree ACLs
# everyone can read these attributes, admins can write
access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org" attrs=cn,givenName,sn,mail,displayName
by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
by * read


# everyone can read these attributes, admins and self can write
access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org" attrs=nsdPrefLastName,nsdPrefFirstName
by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
by self write
by * read


# all authenticated people can read, admins can write
access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org" attrs=nsdMobilePhone,nsdAltPhone,nsdGeneralPhone,nsdPhoto
by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
by users read
by * search


# all authenticated people can read, admins & self can write
access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org" attrs=nsdPersonalEmail,nsdPersonalPhone,nsdPersonalMobilePhone
by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
by self write
by users read
by * search


# self can read these attributes, admins can write
access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org" attrs=nsdEmployeeNumber,nsdBargainUnit,nsdPCN
by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
by self read
by * search


# for everything else, only admins can read & write
access to *
  by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
  by * search

cheers,

ski


-- Perfection is just a word I use occasionally with mustard. --Atom Powers-- Systems Administrator DigiPen Institute of Technology (425) 895-4443