HP UX Red Hat Direry Server Software manual Get Effective Rights Control

Get Effective Rights Control

Permissions.

The Access Control Manager opens with a list of the ACIs belonging to the selected entry.

3.Check the Show Inherited ACIs checkbox to display all ACIs created on entries above the selected entry that also apply.

7. Get Effective Rights Control

Finding the rights on existing attributes within a specific entry offers a convenient way for administrators to find and control the access rights.

Get effective rights is an extended ldapsearch which returns the access control permissions set on each attribute within an entry. The effective rights can be retrieved by sending an LDAP control along with a search operation. The results show the effective rights on each returned entry and each attribute of each returned entry.

The access control information is divided into two groups of access: rights for an entry and rights for an attribute. Rights for an entry means the rights, such as modify or delete, that are limited to that specific entry. Rights for an attribute means the access right to every instance of that attribute throughout the directory.

Some of the situations when this kind of detailed access control may be necessary include the following:

•An administrator can use the get effective rights command for minute access control, such as allowing certain groups or users access to entries and restricting others. For instance, members of the QA Managers group may have the right to search and read attributes like manager and salary but only HR Group members have the rights to modify or delete them.

•A user can run the get effective rights command to see what attributes he can view or modify on his personal entry. For instance, a user should have access to attributes such as homePostalAddress and cn but may only have read access to manager and salary.

An ldapsearch run with the -J option (which sets the get effective rights control) returns the access controls placed on a particular entry. The entryLevelRights and attributeLevelRights returns are added as attributes to the bottom of the query results. If ldapsearch is run without -J, then the entry information is returned as normal, without the entryLevelRights or attributeLevelRights information.

A get effective rights result looks like the following:

dn: uid=tmorris, ou=People, dc=example,dc=com

l: Santa Clara

userPassword: {SSHA}bz0uCmHZM5b357zwrCUCJs1IOHtMD6yqPyhxBA==

entryLevelRights: vadn

attributeLevelRights: l:rscwo, userPassword:wo

211