Chapter 8. Checking access rights on entries using Get Effective Rights search

As an administrator, you can find and control access rights that a user has on attributes within a specific entry.

Get effective rights (GER) is a way to extend directory searches to display what access rights a user has to a specified entry. You can specify the following rights:

  • Read
  • Write and self-write
  • Search
  • Add
  • Delete

Checking effective rights on an entry is beneficial in the following situations:

  • You can use the GER commands to better organize access control instructions for the directory. It is often necessary to restrict what one group of users can view or edit compared to another group. For example, members of the QA Managers group may have the right to search and read attributes like manager and salary but only HR Group members have the right to modify or delete them. Checking effective rights for a user or group is one way to verify that an administrator sets the appropriate access controls.
  • You can use the GER commands to see what attributes you can view or modify on your personal entry. For example, a user should have access to attributes such as homePostalAddress and cn but may only have read access to manager and salary attributes.

The getEffectiveRights search uses the following entities:

  • The requester. It is the authenticated entry when the getEffectiveRights search issues an operation.
  • The subject whose rights you will evaluate. It is defined as authorization DN in the GER control.
  • The target. You define it by the search base, search filter, and attribute list of the request.