[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL: protect entry but not children
>
>
I stumbled further. I don't feel very well about these ACL's.
If anyone can see how this can be more elegant, I would love to hear
it.
Greetings
ace
PS read backwards, makes the most sense.
## TOP LEVEL MANAGERS ACL's
# this lets you auth
# and modify user under users=managers
access to
dn="user=.*,users=managers,aservice=_managers,application=cc"
by anonymous auth
by group="group=managers,aservice=_managers,application=cc" write
# This lets you add and delete anything under users=managers
access to dn="users=managers,aservice=_managers,application=cc"
attrs=children
by group="group=managers,aservice=_managers,application=cc" write
# This lets you add and delete managers to group=managers
access to dn="group=managers,aservice=_managers,application=cc"
attrs=member,entry
by group="group=managers,aservice=_managers,application=cc" write
# This stops you deleting and adding anything under
aservice=_managers
access to dn="aservice=_managers,application=cc" attrs=children
by group="group=managers,aservice=_managers,application=cc" read
# This stops you from modifying anything under aservice=_managers
access to dn="aservice=_managers,application=cc"
by group="group=managers,aservice=_managers,application=cc" read
## OC's
# This lets you add and delete anything under aservice=_manager
access to dn="aservice=_managers,oc=.*,application=cc"
attrs=children
by group="group=managers,aservice=_managers,application=cc" write
# This lets you view and modify anything under aservice=_managers
access to dn=".*,aservice=_managers,oc=.*,application=cc"
by group="group=managers,aservice=_managers,application=cc" write
# This stops you viewing, deleting and adding anything under
aservice
access to dn="aservice=.*,oc=.*,application=cc" attrs=children
by group="group=managers,aservice=_managers,application=cc"
search
# This stops you from viewing and modifying anything under aservice
access to dn=".*,aservice=.*,oc=.*,application=cc"
by group="group=managers,aservice=_managers,application=cc"
search
# This lets you modify oc's
# and anything under it
# so you can add, modify and delete aservice
# and anything under it
access to dn="oc=.*,application=cc"
by group="group=managers,aservice=_managers,application=cc" write
# This lets you view, add and delete oc's
# but not modify oc's
# and not view or modify the application itself
access to dn="application=cc" attrs=children
by group="group=managers,aservice=_managers,application=cc" write
# This lets you view the application
access to dn="application=cc"
by group="group=managers,aservice=_managers,application=cc" read
#######