29-24 Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory Note that, in order to enable reading the attributes, you must grant permission to browse the entries. Selecting Entries by DN This example shows the use of a regular expression to select the entries by DN in two access directives. It grants to everyone read-only access to the address book attributes under dc=example,dc=com access. ldapmodify -v -h myhost -D cn=Directory Manager, o=IMC, c=US -q -f my_ldif_file The orclACI attribute of dc=example,dc=com is specified as follows: access to entry by browse access to attr=cn, telephone, email by search, read The orclACI attribute of dc=us, dc=example,dc=com is specified as follows: access to entry by browse access to attr= by dn=.,dc=us,dc=example,dc=com search, read Using Attribute and Subject Selectors This example shows the use of an attribute selector to grant access to a specific attribute, and various subject selectors. The example applies to entries in the dc=us,dc=example,dc=com subtree. The policy enforced by this ACI can be described as follows: ■ For all entries within the subtree, the administrator has add, delete, and browse permissions. Others within the dc=us subtree can browse, but those outside it have no access to the subtree. ■ The salary attribute can be modified by your manager and viewed by yourself. No one else has access to the salary attribute. ■ The userPassword attribute can be viewed and modified by yourself and the administrator. Others can only compare this attribute. ■ The homePhone attribute can be read and written by yourself and viewed by anyone else. ■ For all other attributes, only the administrator can modify values. Everyone else can compare, search, read, but cannot update attribute values. ldapmodify -v -h myhost -D cn=Directory Manager, o=IMC, c=US -q -f my_ldif_file The orclACI attribute of dc=us,dc=example,dc=com is specified as follows: access to entry by dn=cn=admin, dc=us,dc=example,dc=com browse, add, delete by dn=., dc=us,dc=example,dc=com browse by none access to attr=salary by dnattr=manager read, write by self read by none access to attr=userPassword by self search, read, write Managing Directory Access Control 29-25 by dn=cn=admin, dc=us,dc=example,dc=com search, read, write by compare access to attr=homePhone by self search, read, write by read access to attr = salary, userPassword, homePhone by dn=cn=admin, dc=us,dc=example,dc=com compare, search, read, write by compare, search, read Granting Read-Only Access This example gives to everyone read-only access to address book attributes under dc=example,dc=com. It also extends to everyone read access to all attributes within the dc=us,dc=example,dc=com subtree only. ldapmodify -v -h myhost -D cn=Directory Manager, o=IMC, c=US -q -f my_ldif_file The orclACI attribute of dc=example,dc=com is specified as follows: access to entry by browse access to attr=cn, telephone, email by search, read The orclACI attribute of dc=us,dc=example,dc=com is specified as follows: access to entry by browse access to attr= by dn=.,dc=us,dc=example,dc=com search, read Granting Selfwrite Access to Group Entries This example enables people within the US domain to add or remove only their own name DN to or from the member attribute of a particular group entry— for example, a mailing list. ldapmodify -v -h myhost -D cn=Directory Manager, o=IMC, c=US -q -f my_ldif_file The orclEntryLevelACI attribute of the group entry is specified as follows: access to attr=member by dn=., dc=us,dc=example,dc=com selfwrite Defining a Completely Autonomous Policy to Inhibit Overriding Policies This example denies group override. ldapmodify -v -h myhost -D cn=Directory Manager, o=IMC, c=US -q -f my_ldif_file The example uses the following DNs: Table 29–5 DNs Used in Example Container DN Naming context to be restricted from Group overriding policies c=us User container cn=users,c=us Sensitive data cn=appdata