Ski Kacoroski wrote:
Ok,
I think I it mostly figured out for my particular case. I would
appreciate any comments (and improvements) on the following set of ACLs
which limit access to a staff object in my directory. I am very
interested if there is a best practice way on how to provide different
levels of access to different attributes of an object. Once I get this
down, I will add something the FAQ. Thanks in advance for your help.
Not relevant to your ACLs, but something to put in the FAQ: every ACL is
followed by an implicit "by * none", so any ACL later in the list which
applies in the same scope as a previous ACL will not be effective. (So
if you were to put your last ACL, below, first then it would be the only
one that was effective unless you specified "by * break".)
# Basic setup ACL's
# Allow everyone to access base dn to set up a connection
access to dn.base=""
by * read
# Allow everyone to access all entries
access to attrs=entry
by self write
by * read
# password only can be changed by self and admins
access to attrs=userPassword
by anonymous auth
by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
by self write
by * none
# Staff tree ACLs
# everyone can read these attributes, admins can write
access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org"
attrs=cn,givenName,sn,mail,displayName
by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
by * read
# everyone can read these attributes, admins and self can write
access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org"
attrs=nsdPrefLastName,nsdPrefFirstName
by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
by self write
by * read
# all authenticated people can read, admins can write
access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org"
attrs=nsdMobilePhone,nsdAltPhone,nsdGeneralPhone,nsdPhoto
by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
by users read
by * search
# all authenticated people can read, admins & self can write
access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org"
attrs=nsdPersonalEmail,nsdPersonalPhone,nsdPersonalMobilePhone
by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
by self write
by users read
by * search
# self can read these attributes, admins can write
access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org"
attrs=nsdEmployeeNumber,nsdBargainUnit,nsdPCN
by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
by self read
by * search
# for everything else, only admins can read & write
access to *
by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
by * search
cheers,
ski
--
Perfection is just a word I use occasionally with mustard.
--Atom Powers--
Systems Administrator
DigiPen Institute of Technology
(425) 895-4443
