29-22 Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory Managing Access Control by Using Command-Line Tools As described in Introduction to Managing Directory Access Control on page 29-1, directory access control policy information is represented as user-modifiable configuration attributes. You can manage it by using command-line tools, including ldapmodify and ldapmodifymt, to set and alter the values of these attributes. To directly edit the ACI, you should understand the format and semantics of the directory representation of the ACI as described in Appendix H, The Access Control Directive Format . This section contains these topics: ■ Restricting the Kind of Entry a User Can Add ■ Setting Up an Inheritable ACP by Using ldapmodify ■ Setting Up Entry-Level ACIs by Using ldapmodify ■ Using Wildcards in an LDIF File with ldapmodify ■ Selecting Entries by DN ■ Using Attribute and Subject Selectors ■ Granting Read-Only Access ■ Granting Selfwrite Access to Group Entries ■ Defining a Completely Autonomous Policy to Inhibit Overriding Policies Restricting the Kind of Entry a User Can Add You can specify ACIs to restrict the kind of entries a user can add. For example, you can specify an ACI in the DSE root entry that allows users to add only entries with objectclass=country. To do this, you use the added_object_constraint filter. The directory server then verifies that any new entry complies with the constraints in this filter. The following example specifies that: ■ The subject cn=admin,c=us can browse, add, and delete under organization entries. ■ The subject cn=admin,c=us can add organizationalUnit objects under organization entries ■ All others can browse under organization entries access to entry filter=objectclass=organization by group=cn=admin,c=us constraintonaddedobject=objectclass=organisationalunit See Also: ■ LDIF File Formatting Rules and Examples in Oracle Fusion Middleware Reference for Oracle Identity Management for information about how to format input by using LDIF, the required input format for line mode commands ■ The ldapmodify command-line tool reference in Oracle Fusion Middleware Reference for Oracle Identity Management for information about how to run ldapmodify ■ Appendix H, The Access Control Directive Format for information about the format or syntax of ACI Managing Directory Access Control 29-23 browse,add,delete by browse Setting Up an Inheritable ACP by Using ldapmodify This example sets up subtree access permissions in an orclACI at the root DSE by using an LDIF file named my_ldif_file. Because this example refers to the orclACI attribute, this access directive governs all the entries in the DIT. ldapmodify -v -h myhost -D cn=Directory Manager, o=IMC, c=US -q -f my_ldif_file The LDIF file, my_ldif_file, contains the following: dn: changetype: modify replace: orclaci orclaci: access to entry by dn=cn=directory manager, o=IMC, c=us browse, add, delete by browse, noadd, nodelete orclaci: access to attr= by dn=cn=directory manager, o=IMC, c=us search, read, write, compare by self search, read, write, compare by search, read, nowrite, nocompare Setting Up Entry-Level ACIs by Using ldapmodify This example sets up entry-level access permissions in the orclEntryLevelACI attribute by using an LDIF file named my_ldif_file. Because this example refers to the orclentrylevelACI attribute, this access directive governs only the entry in which it resides. ldapmodify -v -h myhost -D cn=Directory Manager, o=IMC, c=US -q -f my_ldif_file The LDIF file, my_ldif_file, contains the following: dn: changetype: modify replace: orclentrylevelaci orclentrylevelaci: access to entry by dn=cn=directory manager, o=IMC, c=us browse, add, delete by browse, noadd, nodelete orclentrylevelaci: access to attr= by dn=cn=directory manager, o=IMC, c=us search, read, write, compare by search, read, nowrite, nocompare Using Wildcards in an LDIF File with ldapmodify This example shows the use of wildcards in the object and subject specifiers. For all entries within the example.com domain, it grants to everyone browse permission on all entries, and read and search permissions on all attributes. ldapmodify -v -h myhost -D cn=Directory Manager, o=IMC, c=US -q -f my_ldif_file In the ACP at dc=com, the orclACI attribute is specified as follows: access to entry by browse access to attr= by search, read Note: In this example, no DN value is specified. This means that this ACI pertains to the root DSE and its attributes only.