Skip Headers
Oracle® Internet Directory Administrator's Guide,
10g Release 2 (10.1.2)
B14082-02
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

C The Access Control Directive Format

This appendix describes the format (syntax) of any access control item (ACI). It contains these topics:

C.1 Schema for orclACI

The access control directive defined by the user attribute orclACI has the following schema:

OrclACI: { object_identifier NAME 'orclACI' DESC 'Stores an inheritable ACI' EQUALITY accessDirectiveMatch SYNTAX 'accessDirectiveDescription'  USAGE  'directoryOperation'}

accessDirectiveDescription has the following BNF:
<accessDirectiveDescription> 
                  ::= access to <object> [by <subject> ( <accessList> )]+

<object> ::= [attr <EQ-OR-NEQ> ( * | (<attrList>) ) | entry] [filter=(<ldapFilter>)] [DenyGroupOverride] [AppendToAll]

<subject> ::= <entity> [<BindMode>] [Added_object_constraint=(<ldapFilter>)]
<entity> ::= * | self | dn="<regex>" | dnAttr=(<dn_attribute>) | group="<dn>" | guidattr=(<guid_attribute>) | groupattr=(<group_attribute>) | [SuperUser]

BindMode=(LDAP_authentication_choice)|LDAP_security_choice)
LDAP_authentication_choice::= proxy | simple | MD5Digest | PKCS12
LDAP_security_choice::= SSLNoAuth | SSLOneWay | SASL

<accessList> ::= <access> | <access>, <accessList>

<access> ::= none | compare | search | browse | proxy | read | selfwrite | write | add | delete | nocompare | nosearch | nobrowse | noproxy |noread | noselfwrite | nowrite | noadd | nodelete 

<attrList> ::=  <attribute name> | <attribute name>,<attrList>

<EQ-OR-NEQ> ::=  = | !=

<regex> ::= <dn> | *,<dn_of_any_subtree_root>

Note:

The regular expression defined earlier is not meant to match any arbitrary expression. The syntax only allows expressions where the wild card is followed by a comma and a valid DN. The latter DN denoted by <dn_of_any_subtree_root> is intended to specify the root of some subtree.

C.2 Schema for orclEntryLevelACI

The entry level access control directive defined by the user attribute orclEntryLevelACI has the following schema:

"orclEntryLevelACI": { object_identifier NAME 'orclEntryLevelACI' DESC 'Stores entry level ACL Directive'  EQUALITY accessDirectiveMatch SYNTAX 'orclEntryLevelACIDescription' USAGE 'directoryOperation' }

<orclEntryLevelACIDescription>  ::= access to <object> [by <subject> ( <accessList> )]+