SAS® Integration Technologies: Administrator's Guide (LDAP Version)
SAS® Integration Technologies: Administrator's Guide (LDAP Version)
SAS® Integration Technologies: Administrator's Guide (LDAP Version)
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
There are two other subject specifications that are sometimes used: userdnattr and groupdnattr. These specify that an<br />
attribute on the entry will contain a DN, and if the DN matches the bound user, it will apply the rule.<br />
ACI Rule Considerations<br />
Since ACI rules are cumulative, it is important to be careful granting access at a node that has a deep tree under it. For<br />
example, if read access is granted to all users at the node cn=SAS,o=SAS Institute, c=US, then it becomes<br />
difficult to restrict that access further down, such as at the container where logins are stored. Therefore, it is important<br />
to look at the whole directory tree before deciding on an access policy.<br />
From an efficiency point of view, the fewer access control instructions the better, as long as the data is secured in a<br />
meaningful way. Using groups is a good way to accomplish this, and make access control easier to manage at the<br />
same time. It is a lot easier to add or remove a user from a group than try to find all of the ACI rules that reference that<br />
user's DN, or figure out all of the different kinds of access a user requires.<br />
Access Control Examples<br />
<strong>SAS®</strong> <strong>Integration</strong> <strong>Technologies</strong>: <strong>Administrator's</strong> <strong>Guide</strong> (<strong>LDAP</strong> <strong>Version</strong>)<br />
ACI: (target="ldap:///o=SAS Institute,c=US")<br />
(targetattr=*)( version 3.0; acl<br />
" allow portal user"; allow (all)<br />
userdn="ldap:///cn=Portal User,ou=People,<br />
o=SAS Institute,c=US";)<br />
This example allows the user with a DN of cn=Portal User,ou=People,o=SAS Institute,c=US all<br />
access to everything in the directory. This level of access is unusual, but acceptable for this example because the<br />
Portal User identity is used by an application that performs very specific operations in the directory.<br />
ACI: (target="ldap:///o=SAS Institute,c=US")<br />
(targetattr=*)(targetfilter="(| (objectclass=sascontainer)<br />
(objectclass=sascomponentcontainer)) ")(version 3.0; acl<br />
"see sascontainers"; allow (compare, read, search)<br />
userdn="ldap:///all";)<br />
This example is somewhat unusual, but it has a specific purpose. It allows all non−anonymous users to see<br />
sascontainers and sascomponentcontainers in order to facilitate browsing.<br />
ACI: (target="ldap:///cn=sassubscribers,<br />
sascomponent=saspublishsubscribe,cn=sas,o=sas institute,<br />
c=us")(targetattr="*")(version 3.0; acl "owner has all<br />
rights"; allow (all) userdnattr = "saspersondn";)<br />
This example is also unusual, because it uses the userdnattr specifier. This ACI rule grants all permissions to a user<br />
whose bind DN is found in the saspersondn attribute of an entry below<br />
cn=sassubscribers,sascomponent=saspublishsubscribe,cn=sas,o=sas institute,c=US. This is important to allow users to<br />
update their own subscriber entries.<br />
ACI: (target="ldap:///saschannelcn=Orders for Manufacturing<br />
Materials,cn=saschannels,sascomponent=sasPublishSubscribe,<br />
cn=SAS,o=SAS Institute,c=us")(targetattr="*")(version 3.0;<br />
acl "allow valid users"; allow (compare,add,read,search)<br />
groupdn = "ldap:///cn=IDBGroup,ou=Groups,o=SAS Institute,<br />
c=US||ldap:///cn=Sales,ou=Groups,o=SAS Institute,c=US"; )<br />
Sun ONE and Netscape Directory Server Access ControlOverview 230