Manualshelf

Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software
231232233234235236237238239240
Permissions.
The Access Control Manager opens with a list of the ACIs belonging to the selected entry.
3. Check the Show Inherited ACIs checkbox to display all ACIs created on entries above the
selected entry that also apply.
7. Get Effective Rights Control
Finding the rights on existing attributes within a specific entry offers a convenient way for
administrators to find and control the access rights.
Get effective rights is an extended ldapsearch which returns the access control permissions
set on each attribute within an entry. The effective rights can be retrieved by sending an LDAP
control along with a search operation. The results show the effective rights on each returned
entry and each attribute of each returned entry.
The access control information is divided into two groups of access: rights for an entry and
rights for an attribute. Rights for an entry means the rights, such as modify or delete, that are
limited to that specific entry. Rights for an attribute means the access right to every instance of
that attribute throughout the directory.
Some of the situations when this kind of detailed access control may be necessary include the
following:
An administrator can use the get effective rights command for minute access control, such as
allowing certain groups or users access to entries and restricting others. For instance,
members of the QA Managers group may have the right to search and read attributes like
manager and salary but only HR Group members have the rights to modify or delete them.
A user can run the get effective rights command to see what attributes he can view or modify
on his personal entry. For instance, a user should have access to attributes such as
homePostalAddress and cn but may only have read access to manager and salary.
An ldapsearch run with the -J option (which sets the get effective rights control) returns the
access controls placed on a particular entry. The entryLevelRights and
attributeLevelRights returns are added as attributes to the bottom of the query results. If
ldapsearch is run without -J, then the entry information is returned as normal, without the
entryLevelRights or attributeLevelRights information.
A get effective rights result looks like the following:
dn: uid=tmorris, ou=People, dc=example,dc=com
l: Santa Clara
userPassword: {SSHA}bz0uCmHZM5b357zwrCUCJs1IOHtMD6yqPyhxBA==
entryLevelRights: vadn
attributeLevelRights: l:rscwo, userPassword:wo
Get Effective Rights Control
211