Managing Directory Access Control 29-3 Access Control Policy Points ACPs ACPs are entries in which the orclACI attribute has been given a value. The orclACI attribute value represents the access policies that are inherited by the subtree of entries starting with the ACP as the root of the subtree. When a hierarchy of multiple ACPs exists in a directory subtree, a subordinate entry in that subtree inherits the access policies from all of the superior ACPs. The resulting policy is an aggregation of the policies within the ACP hierarchy above the entry. For example, if an ACP is established in the HR department entry, and the Benefits, Payroll, and Insurance groups are entries within the HR department, then any entry within those groups inherits the access rights specified in the HR department entry. When there are conflicting policies within a hierarchy of ACPs, the directory applies well-defined precedence rules in evaluating the aggregate policy. The orclACI Attribute for Prescriptive Access Control The orclACI attribute contains access control list ACL directives that are prescriptive—that is, these directives apply to all entries in the subtree below the ACP where this attribute is defined. Any entry in the directory can contain values for this attribute. Access to this attribute itself is controlled in the same way as access to any other attribute. The orclEntryLevelACI Attribute for Entry-Level Access Control When a policy pertains only to a specific entity—for example, a special user—you can maintain the ACL directives within the entry for that entity. You do this by using a user-modifiable configuration attribute called orclEntryLevelACI. This attribute contains ACL directives only for the entry with which it is associated. Any directory entry can optionally carry a value for this attribute. This is because Oracle Internet Directory extends the abstract object class top to include orclEntryLevelACI as an optional attribute. The orclEntryLevelACI attribute is multi-valued and has a structure similar to that of orclACI. See Also: How ACL Evaluation Works on page 29-12 Note: It is possible to represent ACL directives specific to a single entry in the orclACI attribute. However, in such scenarios, for administrative convenience and performance advantages, Oracle recommends using orclEntryLevelACI—discussed in The orclEntryLevelACI Attribute for Entry-Level Access Control . This is because the LDAP configuration overhead increases with the number of directives represented through orclACI. You can reduce this overhead by moving entry specific directives from orclACI to orclEntryLevelACI. See Also: Object: To What Are You Granting Access? on page 29-7 for the structure definition of the orclEntryLevelACI attribute