29-2 Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory Access control policies can be prescriptive, that is, their security directives can be set to apply downward to all entries at lower positions in the directory information tree DIT. The point from which such an access control policy applies is called an access control policy point ACP. ACIs are represented and stored as text strings in the directory. These strings must conform to a well-defined format, called the ACI directive format. Each valid value of an ACI attribute represents a distinct access control policy. The following features of directory access control can be used by applications running in a hosted environment. ■ Prescriptive access control Enables the service provider to specify access control lists ACLs for a collection of directory objects, instead of having to state the policies for each individual object. This feature simplifies the administration of access control, especially in large directories where many objects are governed by identical or similar policies. ■ Hierarchical access control administration model Enables the service provider to delegate directory administration to hosted companies. The realm could in turn delegate further if necessary. ■ Administrative override control for delegated domains Enables the service provider to perform diagnosis and recovery from unintentional account lockout or accidental security exposure. ■ Dynamic evaluation of access control entities Enables subtree administrators to identify both subjects and objects in terms of their namespace and their association with other objects in the directory. For example, the administrator of one realm can allow only a users manager to update that users salary attribute. The administrator of another realm can establish and enforce a different policy regarding salary attributes. You manage access control policies by configuring the values of the ACI attributes within appropriate entries. You can do this by using either Oracle Directory Services Manager or ldapmodify. This section contains these topics: ■ Access Control Management Constructs ■ Access Control Information Components ■ Access Level Requirements for LDAP Operations Access Control Management Constructs This section discusses the structures used for access control in Oracle Internet Directory. These include: ■ Access Control Policy Points ACPs ■ The orclACI attribute for prescriptive access control ■ The orclEntryLevelACI attribute for entry-level access control ■ Privilege Groups