Oracle® Fusion Middleware Administrator's Guide for Oracle Internet Directory 11g Release 1 (11.1.1) Part Number E10029-01 |
|
|
View PDF |
This appendix describes the format (syntax) of any access control item (ACI). It contains these topics:
The access control directive defined by the user attribute orclACI
has the following schema:
OrclACI:{ object_identifier NAME 'orclACI' DESC 'Stores an inheritable ACI' EQUALITY accessDirectiveMatch SYNTAX 'accessDirectiveDescription' USAGE 'directoryOperation'} accessDirectiveDescription has the following BNF: <accessDirectiveDescription> ::= access to <object> [by <subject> ( <accessList> )]+ <object> ::= [attr <EQ-OR-NEQ> ( * | (<attrList>) ) | entry] [filter=(<ldapFilter>)] [DenyGroupOverride] [AppendToAll] <subject> ::= <entity> [<BindMode>] [Added_object_constraint=(<ldapFilter>)] <entity> ::= * | self | dn="<regex>" | dnAttr=(<dn_attribute>) | group="<dn>" | guidattr=(<guid_attribute>) | groupattr=(<group_attribute>) | [SuperUser] BindMode=(LDAP_authentication_choice)|LDAP_security_choice) LDAP_authentication_choice::= proxy | simple | MD5Digest | PKCS12 LDAP_security_choice::= SSLNoAuth | SSLOneWay | SASL <accessList> ::= <access> | <access>, <accessList> <access> ::= none | compare | search | browse | proxy | read | selfwrite | write | add | delete | nocompare | nosearch | nobrowse | noproxy |noread | noselfwrite | nowrite | noadd | nodelete <attrList> ::= <attribute name> | <attribute name>,<attrList> <EQ-OR-NEQ> ::= = | != <regex> ::= <dn> | *,<dn_of_any_subtree_root>
Note:
The regular expression defined earlier is not meant to match any arbitrary expression. The syntax only allows expressions where the wildcard is followed by a comma and a valid DN. The latter DN denoted by <dn_of_any_subtree_root> is intended to specify the root of some subtree.The BER format for orclEntryLevelACI
is the same as the format for orclACI
.
The entry level access control directive defined by the user attribute orclEntryLevelACI
has the following schema:
"orclEntryLevelACI": { object_identifier NAME 'orclEntryLevelACI' DESC 'Stores entry level ACL Directive' EQUALITY accessDirectiveMatch SYNTAX 'orclEntryLevelACIDescription' USAGE 'directoryOperation' } <orclEntryLevelACIDescription> ::= access to <object> [by <subject> ( <accessList> )]+