13.5. Creating ACIs from the Console

You can use the Directory Server Console to view, create, edit, and delete access control instructions for your directory:
See Section 13.9, “Access Control Usage Examples” for a collection of access control rules commonly used in Directory Server security policies, along with step-by-step instructions for using the Directory Server Console to create them.
The Access Control Editor prevents creating more complex ACIs in visual editing mode, especially ACIs with any of these characteristics:


In the Access Control Editor, click the Edit Manually button at any time to check the LDIF representation of the ACI changes made through the graphical interface.

13.5.1. Displaying the Access Control Editor

  1. Start the Directory Server Console. Log in using the bind DN and password of a privileged user, such as the Directory Manager, who has write access to the ACIs configured for the directory.
  2. Select the Directory tab.
  3. Right-click the entry in the navigation tree for which to set access control, and select Set Access Permissions from the pop-up menu.
    Alternatively, highlight the entry, and select Set Access Permissions from the Object menu.
  4. Click New to open the Access Control Editor.
    Access Control Editor Window

    Figure 13.2. Access Control Editor Window

13.5.2. Creating a New ACI

To create a new ACI in the Directory Server Console:
  1. Open the Access Control Editor, as described in Section 13.5.1, “Displaying the Access Control Editor”.
    If the view displayed is different from Figure 13.2, “Access Control Editor Window”, click the Edit Visually button.
  2. Type the ACI name in the ACI Name field.
    The name can be any unique string to identify the ACI. If you do not enter a name, the server uses unnamed ACI.
  3. In the Users/Groups tab, select the users to whom you are granting access by highlighting All Users or clicking the Add button to search the directory for the users to add.
    1. Select a search area from the drop-down list, enter a search string in the Search field, and click the Search button. You can use wildcards (an asterisk, *) to search for partial user names. The search results are displayed in the list below.
    2. Highlight the entries you want in the search result list, and click the Add button to add them to the list of entries which have access permission.
    3. Click OK to dismiss the Add Users and Groups window.
    The selected entries are now listed on the Users/Groups tab in the ACI editor.
  4. In the Access Control Editor, click the Rights tab, and use the check boxes to select the rights to grant.
  5. Click the Targets tab. Click This Entry to display the current node as the target for the ACI or click Browse to select a different suffix.


    You can change the value of the target DN, but the new DN must be a direct or indirect child of the selected entry.
    If you do not want every entry in the subtree under this node to be targeted by the ACI, enter a filter in the Filter for Sub-entries field. The filter applies to every entry below the target entry; for example, setting a filter of ou=Sales means that only entries with ou=Sales in their DN are returned.
    Additionally, you can restrict the scope of the ACI to only certain attributes by selecting the attributes to target in the attribute list.
  6. Click the Hosts tab, then the Add button to open the Add Host Filter dialog box.
    You can specify a host name or an IP address. With an IP address, you can use an asterisk (*) as a wildcard.


    Directory Server supports both IPv4 and IPv6 IP addresses.
  7. Click the Times tab to display the table showing at what times access is allowed.
    By default, access is allowed at all times. You can change the access times by clicking and dragging the cursor over the table. You cannot select discrete blocks of time, only continuous time ranges.
  8. Click OK when all of the configuration is complete.
The Access Control Editor closes, and the new ACI is listed in the Access Control Manager window.


For any point of creating the ACI, click the Edit Manually button to display the LDIF statement corresponding to the wizard input. This statement can be edited directly, but the changes may not be visible in the graphical interface.

13.5.3. Editing an ACI

  1. In the Directory tab, right-click the top entry in the subtree, and choose Set Access Permissions from the pop-up menu.
    The Access Control Manager window opens, listing the ACIs belonging to the entry.
  2. In the Access Control Manager window, highlight the ACI to edit, and click Edit.
  3. Make the edits to the ACI in the Access Control Editor; the different screens are described more in Section 13.5.2, “Creating a New ACI” and in the online help.
  4. When the edits are complete, click OK.

13.5.4. Deleting an ACI

  1. In the Directory tab, right-click the top entry in the subtree, and choose Set Access Permissions from the pop-up menu.
  2. In the Access Control Manager window, select the ACI to delete.
  3. Click Remove.
    The ACI is no longer listed in the Access Control Manager window.