Manualshelf

HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server
261262263264265266267268269270
A) is the GER subject; their rights are the subject of the search. The entry or entries to which the
person has rights (Entry B) is the target of the search or the search base.
6.7.1 Rights shown with a get effective rights search
Any get effective rights search, both when viewing an entry in the Directory Server Console and
searching for it in the command line, shows the rights that User A has to User B's entry.
There are two kinds of access rights that can be allowed to any entry. The first are upper-level
rights, rights on the entry itself, which means that kinds of operations that the User A can perform
on User B's entry as a whole. The second level of access rights are more granular, show what
rights for a given attribute User A has. In this case, User A may have different kinds of access
permissions for different attributes in the same entry. Whatever access controls are allowed for
a user are the effective rights over that entry.
For example:
entryLevelRights: vadn
attributeLevelRights: givenName:rscWO, sn:rscW, objectClass:rsc, uid:rsc,
cn:rscW
Table 6-6 “Entry rights” and Table 6-7 “Attribute rights” show the access rights to entries and
attributes, respectively, that are returned by a get effective rights search.
Table 6-6 Entry rights
DescriptionPermission
Add an entry.a
Delete this entry.d
Rename the DN.n
View the entry.v
Table 6-7 Attribute rights
DescriptionPermission
Read.r
Search.s
Write (mod-add).
w
Obliterate (mod-del). Analogous to delete.
o
Compare.c
Self-write.W
Self-delete.O
6.7.2 The format of a get effective rights search
Get effective rights (sometimes called GER) is an extended directory search; the GER parameters
are defined with the -J option with the
ldapsearch -p port -h host
-D bindDN -w bindPassword
-b searchBase
-J 1.3.6.1.4.1.42.2.27.9.5.2:criticality:dn:GER_subject (searchFilter) attributeList
-b searchBase is the base DN subtree or entry used to search for the GER subject.
If the search base is a specific entry DN or if only one entry is returned, then the results show
the rights the requester has over that specific entry. If multiple entries beneath the search
6.7 Checking access rights on entries (get effective rights) 265