13.5. Creating ACIs from the Console
- Deny access (Section 18.104.22.168, “Permissions Syntax”).
- Create value-based ACIs (Section 22.214.171.124, “Targeting Attributes”).
- Define parent access (Section 126.96.36.199, “Parent Access (parent Keyword)”).
- Create ACIs that contain Boolean bind rules (Section 13.4.11, “Using Boolean Bind Rules”).
- Create ACIs that use the
13.5.1. Displaying the Access Control Editor
- Start the Directory Server Console. Log in using the bind DN and password of a privileged user, such as the Directory Manager, who has write access to the ACIs configured for the directory.
- Select the Directory tab.
- Right-click the entry in the navigation tree for which to set access control, and select Set Access Permissions from the pop-up menu.Alternatively, highlight the entry, and select Set Access Permissions from the Object menu.
- Click New to open the Access Control Editor.
Figure 13.2. Access Control Editor Window
13.5.2. Creating a New ACI
- Open the Access Control Editor, as described in Section 13.5.1, “Displaying the Access Control Editor”.If the view displayed is different from Figure 13.2, “Access Control Editor Window”, click the button.
- Type the ACI name in the ACI Name field.The name can be any unique string to identify the ACI. If you do not enter a name, the server uses
- In the Users/Groups tab, select the users to whom you are granting access by highlighting All Users or clicking the button to search the directory for the users to add.
The selected entries are now listed on the Users/Groups tab in the ACI editor.
- Select a search area from the drop-down list, enter a search string in the Search field, and click the button. You can use wildcards (an asterisk,
*) to search for partial user names. The search results are displayed in the list below.
- Highlight the entries you want in the search result list, and click thebutton to add them to the list of entries which have access permission.
- Click Add Users and Groups window.to dismiss the
- In the Access Control Editor, click the Rights tab, and use the check boxes to select the rights to grant.
- Click the Targets tab. Click to display the current node as the target for the ACI or click to select a different suffix.
NoteYou can change the value of the target DN, but the new DN must be a direct or indirect child of the selected entry.If you do not want every entry in the subtree under this node to be targeted by the ACI, enter a filter in the Filter for Sub-entries field. The filter applies to every entry below the target entry; for example, setting a filter of
ou=Salesmeans that only entries with
ou=Salesin their DN are returned.Additionally, you can restrict the scope of the ACI to only certain attributes by selecting the attributes to target in the attribute list.
- Click the Hosts tab, then the button to open the Add Host Filter dialog box.You can specify a host name or an IP address. With an IP address, you can use an asterisk (
*) as a wildcard.
NoteDirectory Server supports both IPv4 and IPv6 IP addresses.
- Click the Times tab to display the table showing at what times access is allowed.By default, access is allowed at all times. You can change the access times by clicking and dragging the cursor over the table. You cannot select discrete blocks of time, only continuous time ranges.
- Clickwhen all of the configuration is complete.
13.5.3. Editing an ACI
- In the Directory tab, right-click the top entry in the subtree, and choose Set Access Permissions from the pop-up menu.The Access Control Manager window opens, listing the ACIs belonging to the entry.
- In the Access Control Manager window, highlight the ACI to edit, and click .
- Make the edits to the ACI in the Access Control Editor; the different screens are described more in Section 13.5.2, “Creating a New ACI” and in the online help.
- When the edits are complete, click.