HP-UX Directory Server 8.1 deployment guide
forbidding access, the directory forbids access regardless of any conflicting permissions that may
grant access.
Limit the scope of allow access rules to include only the smallest possible subset of users or client
applications. For example, permissions can be set that allow users to write to any attribute on
their directory entry, but then deny all users except members of the Directory Administrators
group the privilege of writing to the uid attribute. Alternatively, write two access rules that
allow write access in the following ways:
• Create one rule that allows write privileges to every attribute except the uid attribute. This
rule should apply to everyone.
• Create one rule that allows write privileges to the uid attribute. This rule should apply only
to members of the Directory Administrators group.
Providing only allow privileges avoids the need to set an explicit deny privilege.
8.7.2.3 When to deny access
It is rarely necessary to set an explicit deny privilege, but there are a few circumstances where
it is useful:
• There is a large directory tree with a complex ACL spread across it.
For security reasons, it may be necessary to suddenly deny access to a particular user, group,
or physical location. Rather than spending the time to carefully examine the existing ACL
to understand how to appropriately restrict the allow permissions, temporarily set the
explicit deny privilege until there is time to do the analysis. If the ACL has become this
complex, then, in the long run, the deny ACI only adds to the administrative overhead. As
soon as possible, rework the ACL to avoid the explicit deny privilege, then simplify the
overall access control scheme.
• Access control should be based on a day of the week or an hour of the day.
For example, all writing activities can be denied from Sunday at 11:00 p.m. (2300) to Monday
at 1:00 a.m. (0100). From an administrative point of view, it may be easier to manage an ACI
that explicitly restricts time-based access of this kind than to search through the directory
for all the allow-for-write ACIs and restrict their scopes in this time frame.
• Privileges should be restricted when delegating directory administration authority to multiple
people.
To allow a person or group of people to manage some part of the directory tree, without
allowing them to modify some aspect of the tree, use an explicit deny privilege.
For example, to make sure that Mail Administrators do not allow write access to the common
name attribute, then set an ACI that explicitly denies write access to the common name
attribute.
8.7.2.4 Where to place access control rules
Access control rules can be placed on any entry in the directory. Often, administrators place
access control rules on entries with the object classes domainComponent, country,
organization, organizationalUnit, inetOrgPerson, or group.
Organize rules into groups as much as possible in order to simplify ACL administration. Rules
generally apply to their target entry and to all that entry's children. Consequently, it is best to
place access control rules on root points in the directory or on directory branch points, rather
than scatter them across individual leaf (such as person) entries.
8.7.2.5 Using filtered access control rules
One of the more powerful features of the Directory Server ACI model is the ability to use LDAP
search filters to set access control. Use LDAP search filters to set access to any directory entry
that matches a defined set of criteria.
120 Designing a secure directory