| <?xml version="1.0" encoding="UTF-8"?> |
| |
| <document> |
| <properties> |
| <author email="akarasulu">akarasulu</author> |
| <title>AllowSelfPasswordModify</title> |
| </properties> |
| <body> |
| <source>{ |
| identificationTag "allowSelfAccessAndModification", |
| precedence 14, |
| authenticationLevel none, |
| itemOrUserFirst userFirst: |
| { |
| userClasses { thisEntry }, |
| userPermissions |
| { |
| { protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse, grantRead } }, |
| { protectedItems {allAttributeValues {userPassword}}, grantsAndDenials { grantAdd, grantRemove } } |
| } |
| } |
| } |
| </source> |
| <section heading="h2" name="Commentary"> |
| <p> |
| Note that two different user permissions are used to accurately specify self |
| access and self modification of the *userPassword* attribute within the entry. |
| So with the first userPermission of this ACI a user would be able to read all |
| attributes and values within his/her entry. They also have the ability to |
| modify the entry but this is moot since they cannot add, remove or replace any |
| attributes within their entry. The second user permission completes the picture |
| by granting add and remove permissions to all values of userPassword. This |
| means the user can replace the |
| password.</p> |
| <table> |
| <tr> |
| <th> |
| <img src="http://docs.safehaus.org/images/icons/emoticons/information.png"/> |
| </th> |
| <th> |
| <center>"grantAdd + grantRemove = grantReplace"</center> |
| </th> |
| </tr> |
| <tr> |
| <td/> |
| <td> |
| <p> |
| Modify operations either add, remove or replace attributes and their values in |
| LDAP. X.500 seems to have overlooked the replace capability. Hence there is no |
| such thing as a *grantReplace* permission. However grantAdd and grantDelete on |
| an attribute and its values are both required for a replace operation to take |
| place.</p> |
| </td> |
| </tr> |
| </table> |
| </section> |
| </body> |
| </document> |