For more information on macro ACIs, refer to the "Managing Access Control" chapter in the HP-UX Directory Server administrator guide.

Balance allow and deny permissions.

Although the default rule is to deny access to any user who has not been specifically granted access, it may be better to reduce the number of ACIs by using one ACI to allow access close to the root of the tree, and a small number of deny ACIs close to the leaf entries. This scenario can avoid the use of multiple allow ACIs close to the leaf entries.

Identify the smallest set of attributes on any given ACI.

When allowing or denying access to a subset of attributes on an object, determine whether the smallest list is the set of attributes that are allowed or the set of attributes that are denied. Then express the ACI so that it only requires managing the smallest list.

For example, the person object class contains a large number of attributes. To allow a user to update only one or two of these attributes, write the ACI so that it allows write access for only those few attributes. However, to allow a user to update all but one or two attributes, create the ACI so that it allows write access for everything but a few named attributes.

Use LDAP search filters cautiously.

Search filters do not directly name the object for which you are managing access. Consequently their use can produce unexpected results. This is especially true as the directory becomes more complex. Before using search filters in ACIs, run an ldapsearch operation using the same filter to make clear what the results of the changes mean to the directory.

Do not duplicate ACIs in differing parts of the directory tree.

Guard against overlapping ACIs. For example, if there is an ACI at the directory root point that allows a group write access to the commonName and givenName attributes, and another ACI that allows the same group write access for only the commonName attribute, then consider reworking the ACIs so that only one control grants the write access for the group.

As the directory grows more complex, the risk of accidentally overlapping ACIs quickly increases. By avoiding ACI overlap, security management becomes easier while potentially reducing the total number of ACIs contained in the directory.

Name ACIs.

While naming ACIs is optional, giving each ACI a short, meaningful name helps with managing the security model, especially when examining ACIs from the Directory Server Console.

Group ACIs as closely together as possible within the directory.

Try to limit ACI placement to the directory root point and to major directory branch points. Grouping ACIs helps to manage the total list of ACIs, as well as helping keep the total number of ACIs in the directory to a minimum.

Avoid using double negatives, such as deny write if the bind DN is not equal to cn=Joe.

Although this syntax is perfectly acceptable for the server, it is confusing for a human administrator.

8.8Database encryption

Information is stored in a database in plain text. Consequently, some extremely sensitive information, such as government identification numbers or passwords, may not be sufficiently protected by access control measures. It may be possible to gain access to a server's persistent storage files, either directly through the file system or by accessing discarded disk drives or archive media.

8.8 Database encryption 123