13.2. Default ACIs

When the Admin Server is set up, the following default ACIs apply to the directory information stored in the userRoot database:
  • Users can modify a list of common attributes in their own entries, including the mail, telephoneNumber, userPassword, and seeAlso attributes. Operational and most of the security attributes, such as aci, nsroledn, and passwordExpirationTime, cannot be modified by users.
  • Users have anonymous access to the directory for search, compare, and read operations.
  • The administrator (by default uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot) has all rights except proxy rights.
  • All members of the Configuration Administrators group have all rights except proxy rights.
  • All members of the Directory Administrators group have all rights except proxy rights.
  • Server Instance Entry (SIE) group.
The NetscapeRoot subtree has its own set of default ACIs:
  • All members of the Configuration Administrators group have all rights on the NetscapeRoot subtree except proxy rights.
  • Users have anonymous access to the NetscapeRoot subtree for search and read operations.
  • All authenticated users have search, compare, and read rights to configuration attributes that identify the Admin Server.
  • Group expansion.
The following sections explain how to modify these default settings.