Manualshelf

Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software
241242243244245246247248249250
see Section 1, “Using Roles”.
When a role gives any sort of privileged user rights over critical corporate or business functions,
consider restricting access to that role. For example, at example.com, employees can add any
role to their own entry except the superAdmin role. This is illustrated in Section 9.3.1, “ACI
"Roles"”.
9.3.1. ACI "Roles"
In LDIF, to grant example.com employees the right to add any role to their own entry except the
superAdmin role, write the following statement:
aci: (targetattr = "nsroledn")
(targattrfilters="add=nsroledn:(nsroledn !=
"cn=superAdmin,dc=example,dc=com")") (version 3.0; acl "Roles";
allow (write) userdn= "ldap:///self" and dns="*.example.com";)
This example assumes that the ACI is added to the ou=example-people,dc=example,dc=com
entry.
From the Console, set this permission by doing the following:
1. In the Directory tab, right-click the example-people entry under the example.com node in
the left navigation tree, and choose Set Access Permissions from the pop-up menu to
display the Access Control Manager.
2. Click New to display the Access Control Editor.
3. In the Users/Groups tab, in the ACI name field, type Roles. In the list of users granted
access permission, do the following:
a. Select and remove All Users, then click Add.
The Add Users and Groups dialog box opens.
b. Set the Search area in the Add Users and Groups dialog box to Special Rights, and
select Self from the search results list.
c. Click the Add button to list Self in the list of users who are granted access permission.
d. Click OK to dismiss the Add Users and Groups dialog box.
4. In the Rights tab, select the checkbox for write. Make sure the other checkboxes are clear.
5. In the Targets tab, click This Entry to use the ou=example-people,dc=example,dc=com
suffix in the Target directory entry field.
6. In the Hosts tab, click Add to display the Add Host Filter dialog box. In the DNS host filter
field, type *.example.com. Click OK to dismiss the dialog box.
Restricting Access to Key Roles
223