content/apacheds/advanced-ug/4.2-authorization.mdtext - directory-site - Git at Google

 Title: 4.2 - Authorization
 NavPrev: 4.1.4-certificate-authn.html
 NavPrevText: 4.1.4 - Client authentication through certificates
 NavUp: 4-authentication-and-authorization.html
 NavUpext: 4 - Authentication & Authorization
 NavNext: 4.3-password-policy.html
 NavNextText: 4.3 - Password Policy
 Notice: Licensed to the Apache Software Foundation (ASF) under one
     or more contributor license agreements.  See the NOTICE file
     distributed with this work for additional information
     regarding copyright ownership.  The ASF licenses this file
     to you under the Apache License, Version 2.0 (the
     "License"); you may not use this file except in compliance
     with the License.  You may obtain a copy of the License at
     .
     http://www.apache.org/licenses/LICENSE-2.0
     .
     Unless required by applicable law or agreed to in writing,
     software distributed under the License is distributed on an
     "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
     KIND, either express or implied.  See the License for the
     specific language governing permissions and limitations
     under the License.

 # 4.2 - Authorization
 ApacheDS uses an adaptation of the X.500 basic access control scheme in
 combination with X.500 subentries to control access to entries and
 attributes within the DIT. This document will show you how to enable the
 basic access control mechanism and how to define access control information
 to manage access to protected resources.

 ## Chapter content

 * [4.2.1 - Introduction](4.2.1-introduction.html)
 * [4.2.2 - Definitions](4.2.2-definitions.html)
 * [4.2.3 - Enabling access control](4.2.3-enabling-access-control.html)
 * [4.2.4 - Aci Types](4.2.4-aci-types.html)
 * [4.2.5 - Aci Elements](4.2.5-aci-elements.html)
 * [4.2.6 - The Acdf Engine](4.2.6-the-acdf-engine.html)
 * [4.2.7 - Using Acis Trail](4.2.7-using-acis-trail.html)
 * [4.2.8 - Acis Administration](4.2.8-acis-administration.html)
 * [4.2.9 - Migration from other Ldap Servers](4.2.9-migration-from-other-ldap-servers.html)
 * [4.2.10 - Aci Grammar](4.2.10-aci-grammar.html)
 * [4.2.11 - Links and References](4.2.11-links-and-references.html)


 ## Some Simple Examples

 The ACIItem syntax is very expressive and that makes it extremely powerful
 for specifying complex access control policies. However the syntax is not
 very easy to grasp for beginners. For this reason we start with simple
 examples that focus on different protection mechanisms offered by the
 ACIItem syntax. We do this instead of specifying the grammar which is not
 the best way to learn a language.

 <DIV class="warning" markdown="1">
 <B>Before you go any further...</B>
 Please don't go any further until you have read up on the use of
 Subentries. Knowledge of subentries, subtreeSpecifications, administrative
 areas, and administrative roles are required to properly digest the
 following material.
 </DIV>

 Before going on to these trails you might want to set up an Administrative
 Area for managing access control via prescriptiveACI.  Both subentryACI and
 prescriptiveACI require the presence of an Administrative Point entry.	For
 more information and code examples see [ACAreas](acareas.html).

 ### ACI Trails

 Here are some trails that resemble simple HOWTO guides.  They're ordered
 with the most pragmatic usage first.  We will add to these trails over
 time.

 | Trail | Description |
 |---|---|
 | DenySubentryAccess (TBW) | Protecting access to subentries themselves. || Enabling access to browse and read all entries and their attributes by authenticated users. |
 | [Allow Self Password Modify](4.2.7.2-allow-self-password-modify.html) | Granting users the rights needed to change their own passwords. |
 | GrantAddDelModToGroup (TBW) | Granting add, delete, and modify permissions to a group of users. |
 | GrantModToEntry (TBW) | Applying ACI to a single entry. |
 | [Enable Authenticated Users to Browse and Read Entries](4.2.7.1-enable-authenticated-users-to-browse-and-read-entries.html)
	Title: 4.2 - Authorization
	NavPrev: 4.1.4-certificate-authn.html
	NavPrevText: 4.1.4 - Client authentication through certificates
	NavUp: 4-authentication-and-authorization.html
	NavUpext: 4 - Authentication & Authorization
	NavNext: 4.3-password-policy.html
	NavNextText: 4.3 - Password Policy
	Notice: Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at
	.
	http://www.apache.org/licenses/LICENSE-2.0
	.
	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.

	# 4.2 - Authorization
	ApacheDS uses an adaptation of the X.500 basic access control scheme in
	combination with X.500 subentries to control access to entries and
	attributes within the DIT. This document will show you how to enable the
	basic access control mechanism and how to define access control information
	to manage access to protected resources.

	## Chapter content

	* [4.2.1 - Introduction](4.2.1-introduction.html)
	* [4.2.2 - Definitions](4.2.2-definitions.html)
	* [4.2.3 - Enabling access control](4.2.3-enabling-access-control.html)
	* [4.2.4 - Aci Types](4.2.4-aci-types.html)
	* [4.2.5 - Aci Elements](4.2.5-aci-elements.html)
	* [4.2.6 - The Acdf Engine](4.2.6-the-acdf-engine.html)
	* [4.2.7 - Using Acis Trail](4.2.7-using-acis-trail.html)
	* [4.2.8 - Acis Administration](4.2.8-acis-administration.html)
	* [4.2.9 - Migration from other Ldap Servers](4.2.9-migration-from-other-ldap-servers.html)
	* [4.2.10 - Aci Grammar](4.2.10-aci-grammar.html)
	* [4.2.11 - Links and References](4.2.11-links-and-references.html)


	## Some Simple Examples

	The ACIItem syntax is very expressive and that makes it extremely powerful
	for specifying complex access control policies. However the syntax is not
	very easy to grasp for beginners. For this reason we start with simple
	examples that focus on different protection mechanisms offered by the
	ACIItem syntax. We do this instead of specifying the grammar which is not
	the best way to learn a language.

	<DIV class="warning" markdown="1">
	<B>Before you go any further...</B>
	Please don't go any further until you have read up on the use of
	Subentries. Knowledge of subentries, subtreeSpecifications, administrative
	areas, and administrative roles are required to properly digest the
	following material.
	</DIV>

	Before going on to these trails you might want to set up an Administrative
	Area for managing access control via prescriptiveACI. Both subentryACI and
	prescriptiveACI require the presence of an Administrative Point entry. For
	more information and code examples see [ACAreas](acareas.html).

	### ACI Trails

	Here are some trails that resemble simple HOWTO guides. They're ordered
	with the most pragmatic usage first. We will add to these trails over
	time.

	\| Trail \| Description \|
	\|---\|---\|
	\| DenySubentryAccess (TBW) \| Protecting access to subentries themselves. \|\| Enabling access to browse and read all entries and their attributes by authenticated users. \|
	\| [Allow Self Password Modify](4.2.7.2-allow-self-password-modify.html) \| Granting users the rights needed to change their own passwords. \|
	\| GrantAddDelModToGroup (TBW) \| Granting add, delete, and modify permissions to a group of users. \|
	\| GrantModToEntry (TBW) \| Applying ACI to a single entry. \|
	\| [Enable Authenticated Users to Browse and Read Entries](4.2.7.1-enable-authenticated-users-to-browse-and-read-entries.html)