Source Directory Access Control Oracle Virtual Directory Access Control Access Control and Groups

6-6 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory

6.3.4 Oracle Virtual Directory Access Control Components

This section describes Oracle Virtual Directory access control components and contains the following sections: ■ Overview ■ Access Control Scope ■ Access Control Rights ■ Attribute Access Control ■ Access Control Permissions ■ Access Control Subjects

6.3.4.1 Overview

To create an Oracle Virtual Directory ACL you: ■ Configure an Access Control Point, that is, identify the location where the ACL will be applied. Typically the Access Control is a distinguished name, but can also be root to stand for the base of the tree. ■ Configure the policy for both Structural Access Items, that is, entire entries in the virtual directory tree, and for Content Access Items, that is, the attributes of the entry.

6.3.4.2 Access Control Scope

Oracle Virtual Directory defines two types of scope for access control: Entry and Subtree. Figure 6–2 illustrates how these scope components operate: Figure 6–2 Oracle Virtual Directory Access Control Scopes As shown in Figure 6–2 , location and scope are related in that location indicates the position on the DIT where scope is evaluated. In the entry portion of Figure 6–2 , the Note: If an entry being accessed or modified on the Oracle Virtual Directory server does not equal or reside below the ACL Access Control Point, the given ACL is not evaluated further. If the entry being accessed or modified does equal or reside below the ACL Access Control Point, the ACL scope setting is evaluated. Location 1 DN DN DN DN DN DN Entry Subtree DN Location 2 Subtree Understanding Oracle Virtual Directory Security 6-7 ACL applies only when the directory entry DN being accessed or modified is the same DN indicated by Location 1. In the subtree portion of Figure 6–2 , all DNs beginning from Location 1 and moving downward are affected by the ACL with subtree scope. The only endpoint for a subtree scope occurs when, for a given ACL, another ACL declared at a point below the first ACL Location 2, alters the rules established by the first ACL. Entry scope is often used with various subjects and deny settings. It is especially useful when a single entry contains more sensitive information than the entries around it or even below it and must be kept private. When two scope rules exist that differ only in their scope type, an entry scope takes precedence over a subtree scope.

6.3.4.3 Access Control Rights

There are two Oracle Virtual Directory access rights for each permission: grant and deny. The decision whether to grant or deny a client access to a particular piece of information is based on many factors related to the access control rules and the entry being protected. Throughout the decision making process, the following guiding principle are used: ■ Specificity : more specific rules override less specific ones, for example, specific client DN in an ACL takes precedence over group reference. ■ Deny : the default when access control is enabled and there is no access control information granting or denying the operation. ■ Grant : the default when access controls are disabled in Oracle Virtual Directory. ■ Entry vs. Subtree: The entry scope takes precedence over the subtree scope, given the subject and attributes have the same specificity. The following is the order of precedence Oracle Virtual Directory uses in evaluating ACLs which differ only in the type of subject: 1. Specific DN or IP Address 2. This 3. Groups 4. Subtree 5. Public

6.3.4.4 Attribute Access Control

The attributes component is strongly linked to the permissions component because it determines whether permissions apply to directory entries as a whole, by selecting Entry, or to some or all of their attributes, by identifying specific attributes.

6.3.4.5 Access Control Permissions

The permissions that apply either to entire entries or to their attributes parallel the type of LDAP operations that can be performed. Each of the LDAP access permissions Note: If two ACLs differ only by their grantdeny property, the resulting permission is a deny regardless of the order in which the ACLs are added. For example, the following two ACLs will result in a deny for Searchs and Readr of all attributes for public: deny:s,r[all]public: grant:s,r[all]public: