Red Hat Directory Server 8.0 Administrator's Guide

Right Description

operation.

Selfwrite Indicates whether users can add or delete

their own DN from a group. This right is used

only for group management.

Proxy Indicates whether the specified DN can

access the target with the rights of another

entry.

All Indicates that the specified DN has all rights

(read, write, search, delete, compare, and

selfwrite) to the targeted entry, excluding

proxy rights.

Table 6.2. User Rights

Rights are granted independently of one another. This means, for example, that a user who is

granted add rights can create an entry but cannot delete it if delete rights have not been

specifically granted. Therefore, when planning the access control policy for your directory, you

must ensure that you grant rights in a way that makes sense for users. For example, it does not

usually make sense to grant write permission without granting read and search permissions.

NOTE

The proxy mechanism is very powerful and must be used sparingly. Proxy rights

are granted within the scope of the ACL, and there is no way to restrict who an

entry that has the proxy right can impersonate; that is, when you grant a user

proxy rights, that user has the ability to proxy for any user under the target; there

is no way to restrict the proxy rights to only certain users. For example, if an

entity has proxy rights to the dc=example,dc=com tree, that entity can do

anything. Make sure you set the proxy ACI at the lowest possible level of the

DIT; see Section 9.11, “Proxied Authorization ACI Example”.

3.3.3. Rights Required for LDAP Operations

This section describes the rights you need to grant to users depending on the type of LDAP

operation you want to authorize them to perform.

• Adding an entry:

• Grant add permission on the entry being added.

• Grant write permission on the value of each attribute in the entry. This right is granted by

Chapter 6. Managing Access Control

182