| Title: 4.2 - Authorization |
| NavPrev: 4.1.4-certificate-authn.html |
| NavPrevText: 4.1.4 - Client authentication through certificates |
| NavUp: 4-authentication-and-authorization.html |
| NavUpext: 4 - Authentication & Authorization |
| NavNext: 4.3-password-policy.html |
| NavNextText: 4.3 - Password Policy |
| Notice: Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| . |
| http://www.apache.org/licenses/LICENSE-2.0 |
| . |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| |
| # 4.2 - Authorization |
| ApacheDS uses an adaptation of the X.500 basic access control scheme in |
| combination with X.500 subentries to control access to entries and |
| attributes within the DIT. This document will show you how to enable the |
| basic access control mechanism and how to define access control information |
| to manage access to protected resources. |
| |
| ## Chapter content |
| |
| * [4.2.1 - Introduction](4.2.1-introduction.html) |
| * [4.2.2 - Definitions](4.2.2-definitions.html) |
| * [4.2.3 - Enabling access control](4.2.3-enabling-access-control.html) |
| * [4.2.4 - Aci Types](4.2.4-aci-types.html) |
| * [4.2.5 - Aci Elements](4.2.5-aci-elements.html) |
| * [4.2.6 - The Acdf Engine](4.2.6-the-acdf-engine.html) |
| * [4.2.7 - Using Acis Trail](4.2.7-using-acis-trail.html) |
| * [4.2.8 - Acis Administration](4.2.8-acis-administration.html) |
| * [4.2.9 - Migration from other Ldap Servers](4.2.9-migration-from-other-ldap-servers.html) |
| * [4.2.10 - Aci Grammar](4.2.10-aci-grammar.html) |
| * [4.2.11 - Links and References](4.2.11-links-and-references.html) |
| |
| |
| ## Some Simple Examples |
| |
| The ACIItem syntax is very expressive and that makes it extremely powerful |
| for specifying complex access control policies. However the syntax is not |
| very easy to grasp for beginners. For this reason we start with simple |
| examples that focus on different protection mechanisms offered by the |
| ACIItem syntax. We do this instead of specifying the grammar which is not |
| the best way to learn a language. |
| |
| <DIV class="warning" markdown="1"> |
| <B>Before you go any further...</B> |
| Please don't go any further until you have read up on the use of |
| Subentries. Knowledge of subentries, subtreeSpecifications, administrative |
| areas, and administrative roles are required to properly digest the |
| following material. |
| </DIV> |
| |
| Before going on to these trails you might want to set up an Administrative |
| Area for managing access control via prescriptiveACI. Both subentryACI and |
| prescriptiveACI require the presence of an Administrative Point entry. For |
| more information and code examples see [ACAreas](acareas.html). |
| |
| ### ACI Trails |
| |
| Here are some trails that resemble simple HOWTO guides. They're ordered |
| with the most pragmatic usage first. We will add to these trails over |
| time. |
| |
| | Trail | Description | |
| |---|---| |
| | DenySubentryAccess (TBW) | Protecting access to subentries themselves. || Enabling access to browse and read all entries and their attributes by authenticated users. | |
| | [Allow Self Password Modify](4.2.7.2-allow-self-password-modify.html) | Granting users the rights needed to change their own passwords. | |
| | GrantAddDelModToGroup (TBW) | Granting add, delete, and modify permissions to a group of users. | |
| | GrantModToEntry (TBW) | Applying ACI to a single entry. | |
| | [Enable Authenticated Users to Browse and Read Entries](4.2.7.1-enable-authenticated-users-to-browse-and-read-entries.html) |