Managing Directory Access Control 29-25 by dn=cn=admin, dc=us,dc=example,dc=com search, read, write by compare access to attr=homePhone by self search, read, write by read access to attr = salary, userPassword, homePhone by dn=cn=admin, dc=us,dc=example,dc=com compare, search, read, write by compare, search, read Granting Read-Only Access This example gives to everyone read-only access to address book attributes under dc=example,dc=com. It also extends to everyone read access to all attributes within the dc=us,dc=example,dc=com subtree only. ldapmodify -v -h myhost -D cn=Directory Manager, o=IMC, c=US -q -f my_ldif_file The orclACI attribute of dc=example,dc=com is specified as follows: access to entry by browse access to attr=cn, telephone, email by search, read The orclACI attribute of dc=us,dc=example,dc=com is specified as follows: access to entry by browse access to attr= by dn=.,dc=us,dc=example,dc=com search, read Granting Selfwrite Access to Group Entries This example enables people within the US domain to add or remove only their own name DN to or from the member attribute of a particular group entry— for example, a mailing list. ldapmodify -v -h myhost -D cn=Directory Manager, o=IMC, c=US -q -f my_ldif_file The orclEntryLevelACI attribute of the group entry is specified as follows: access to attr=member by dn=., dc=us,dc=example,dc=com selfwrite Defining a Completely Autonomous Policy to Inhibit Overriding Policies This example denies group override. ldapmodify -v -h myhost -D cn=Directory Manager, o=IMC, c=US -q -f my_ldif_file The example uses the following DNs: Table 29–5 DNs Used in Example Container DN Naming context to be restricted from Group overriding policies c=us User container cn=users,c=us Sensitive data cn=appdata 29-26 Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory The policy requirements for c=us are as follows: ■ Users can browse and read their information. ■ The user security admin can modify the information under c=us except for passwords and ACPs. ■ The security admin group can modify policies under c=us. ■ The global password admin and the user can reset a password. ■ All other users have no permissions. ■ This policy cannot be overridden. Required ACP: Access to entry DenyGroupOverride by dn=.,c=us browse,noadd,nodelete by group=cn=User admin group,cn=users,c=us browse,add,delete Access to attr=orclaci DenyGroupOverride by group=cn=security admin group,cn=users,c=us search,read,write,compare by none Access to attr=userpassword DenyGroupOverride by self search,read,write,compare by group=cn=password admin group search,read,write,compare by none Access to attr= DenyGroupOverride by self search,read,nowrite,compare by group=cn= User admin group,cn=users,c=us search,read,write,compare by none User admin group for this naming context cn= user admin group, cn=users,c=us Security admin group or this naming context cn= security admin group, cn=users,c=us Global password admin group for all naming contexts that reset passwords cn=password admin group Table 29–5 Cont. DNs Used in Example Container DN