SAS® Integration Technologies: Administrator's Guide (LDAP Version)
SAS® Integration Technologies: Administrator's Guide (LDAP Version)
SAS® Integration Technologies: Administrator's Guide (LDAP Version)
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Sascomponent=sasPortal<br />
The SAS Information Delivery Portal Installation <strong>Guide</strong> contains guidelines for setting the access controls on portal<br />
entries.<br />
Sascomponent=sasDataSources<br />
This is another location that requires careful consideration. Libraries, tables, infomarts and other data sources may all<br />
have individual security requirements. The most important thing to remember is to not place access controls at the<br />
container level unless you want that access to apply to all of the entries below it.<br />
Other locations<br />
Other areas can be opened for read by any bound user, but you must make sure you do not put the ACI rule too far up<br />
in the tree. For instance, the container cn=sasservers,sascomponent=sasServer can be opened for read by all, but<br />
granting that access at sascomponent=sasServer gives access to logins.<br />
Deny ACI Rules<br />
Using deny ACI rules is a useful tool in certain situations, but it can be dangerous. If you want to limit access to a<br />
segment of the tree, when higher−level ACI rules have allowed access, you can use deny to accomplish that.<br />
Remember, though, that a deny cannot be undone. In other words, if you deny access at a directory entry to all users<br />
who are not in a specified group, you cannot then allow a user who is not in that group to access the directory at a<br />
lower level in the tree.<br />
You must also remember that an explicit deny is not the same as an implicit allow. If you deny everyone except one<br />
group, it does not necessarily mean that everyone in that group is allowed. If no explicit allow was ever specified, the<br />
users in that group still do not have access. Deny ACI rules are usually most useful when used with a != operator on<br />
the subject, for example:<br />
ACI: (target="ldap:///sasUniqueName=Security Group A −<br />
A000000E.WHSECGRP.A00001X7,cn=sasContentObjects,<br />
sasmetadatacn=A0000001.WHDW.A000000E,cn=sasMetadata<br />
Repositories,sascomponent=sasMetadataRepository,<br />
cn=sas,o=sas institute,c=us") (targetattr="*")<br />
(version 3.0; acl "Security Policy"; deny (all)<br />
groupdn != "ldap:///cn=Distributed <strong>Technologies</strong>,<br />
ou=groups,o=SAS Institute,c=US||ldap:///cn=IDBGroup,<br />
ou=groups,o=SAS Institute,c=US" ;)<br />
This rule denies access to everything below this entry to everyone that is not a member of the IDBGroup group. The<br />
rule to remember is this: do not use deny unless there is no other way to accomplish what you need to do.<br />
Security<br />
<strong>SAS®</strong> <strong>Integration</strong> <strong>Technologies</strong>: <strong>Administrator's</strong> <strong>Guide</strong> (<strong>LDAP</strong> <strong>Version</strong>)<br />
Sun ONE and Netscape Directory Server Access ControlOverview 232