HP UX Direry Server 8.7.1.1 Targets, 8.7.1.2 Permissions, "if you bind as Babs Jensen, “Allowing or denying access”

A permission can be set to allow anyone binding as Babs Jensen to write to Babs Jensen's telephone number. The bind rule in this permission is the part that states "if you bind as Babs Jensen." The target is Babs Jensen's phone number, and the permission is write access.

8.7.1.1 Targets

Decide which entry is targeted by every ACI created in the directory. Targeting a directory branch point entry includes that branch point and all its child entries in the scope of the permission. If a target entry is not explicitly defined for the ACI, then the ACI is targeted to the directory entry that contains the ACI statement. Further, the default set of attributes targeted by the ACI is any attribute available in the targeted entry's object class structure.

For every ACI, only one entry or only those entries that match a single LDAP search filter can be targeted.

In addition to targeting entries, it is possible to target attributes on the entry; this applies the permission to only a subset of attribute values. Target sets of attributes by explicitly naming those attributes that are targeted or by explicitly naming the attributes that are not targeted by the ACI. Excluding attributes in the target sets a permission for all but a few attributes allowed by an object class structure.

8.7.1.2 Permissions

Permissions can either allow or deny access. In general, avoid denying permissions (for the reasons explained in “Allowing or denying access”). Permissions can be any operation performed on the directory service:

Permission	Description
Read	Indicates whether directory data may be read.

Write	Indicates whether directory data may be changed or created. This permission also
	allows directory data to be deleted but not the entry itself. To delete an entire entry,
	the user must have delete permissions.

Search	Indicates whether the directory data can be searched. This differs from the read
	permission in that read allows directory data to be viewed if it is returned as part of
	a search operation.
	For example, if searching for common names is allowed as well as read permission
	for a person's room number, then the room number can be returned as part of the
	common name search, but the room number itself cannot be used as the subject of a
	search. Use this combination to prevent people from searching the directory to see
	who sits in a particular room.

Compare	Indicates whether the data may be used in comparison operations. The compare
	permission implies the ability to search, but actual directory information is not returned
	as a result of the search. Instead, a simple Boolean value is returned which indicates
	whether the compared values match. This is used to match userPassword attribute
	values during directory authentication.

Self-write	Used only for group management. This permission enables a user to add to or delete
	themselves from a group.

Add	Indicates whether child entries can be created. This permission enables a user to create
	child entries beneath the targeted entry.

Delete	Indicates whether an entry can be deleted. This permission enables a user to delete
	the targeted entry.

Proxy	Indicates that the user can use any other DN, except Directory Manager, to access the
	directory with the rights of this DN.

118 Designing a secure directory