[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL: protect entry but not children



> 
> 

I stumbled further. I don't feel very well about these ACL's.
If anyone can see how this can be more elegant, I would love to hear 
it.

Greetings
ace

PS read backwards, makes the most sense.


## TOP LEVEL MANAGERS ACL's

# this lets you auth
# and modify user under users=managers
access to 
dn="user=.*,users=managers,aservice=_managers,application=cc"
  by anonymous auth
  by group="group=managers,aservice=_managers,application=cc" write

# This lets you add and delete anything under users=managers
access to dn="users=managers,aservice=_managers,application=cc" 
attrs=children
   by group="group=managers,aservice=_managers,application=cc" write

# This lets you add and delete managers to group=managers
access to dn="group=managers,aservice=_managers,application=cc" 
attrs=member,entry
   by group="group=managers,aservice=_managers,application=cc" write

# This stops you deleting and adding anything under 
aservice=_managers
access to dn="aservice=_managers,application=cc" attrs=children
   by group="group=managers,aservice=_managers,application=cc" read

# This stops you from modifying anything under aservice=_managers
access to dn="aservice=_managers,application=cc"
   by group="group=managers,aservice=_managers,application=cc" read


## OC's

# This lets you add and delete anything under aservice=_manager
access to dn="aservice=_managers,oc=.*,application=cc" 
attrs=children
   by group="group=managers,aservice=_managers,application=cc" write

# This lets you view and modify anything under aservice=_managers
access to dn=".*,aservice=_managers,oc=.*,application=cc"
   by group="group=managers,aservice=_managers,application=cc" write

# This stops you viewing, deleting and adding anything under 
aservice
access to dn="aservice=.*,oc=.*,application=cc" attrs=children
   by group="group=managers,aservice=_managers,application=cc" 
search

# This stops you from viewing and modifying anything under aservice
access to dn=".*,aservice=.*,oc=.*,application=cc"
   by group="group=managers,aservice=_managers,application=cc" 
search

# This lets you modify oc's
# and anything under it
# so you can add, modify and delete aservice
# and anything under it
access to dn="oc=.*,application=cc"
   by group="group=managers,aservice=_managers,application=cc" write

# This lets you view, add and delete oc's
# but not modify oc's
# and not view or modify the application itself
access to dn="application=cc" attrs=children
   by group="group=managers,aservice=_managers,application=cc" write

# This lets you view the application
access to dn="application=cc"
   by group="group=managers,aservice=_managers,application=cc" read

#######