| Title: 4.2.4.3 - SubentryACI |
| NavPrev: 4.2.4.2-prescriptiveaci.html |
| NavPrevText: 4.2.4.2 - Prescriptive Aci |
| NavUp: 4.2.4-aci-types.html |
| NavUpText: 4.2.4 - Aci Types |
| NavNext: 4.2.5-aci-elements.html |
| NavNextText: 4.2.5 - ACI Elements |
| Notice: Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| . |
| http://www.apache.org/licenses/LICENSE-2.0 |
| . |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| |
| # 4.2.4.3 - SubentryACI |
| |
| Access to subentries also needs to be controlled. Subentries are special in |
| ApacheDS. Although they subordinate to an administrative entry (entry of an |
| Administrative Point), they are technically considered to be in the same |
| context as their administrative entry. ApacheDS considers the perscriptive |
| ACI applied to the administrative entry, to also apply to its subentries. |
| |
| This however is not the most intuitive mechanism to use for explicitly |
| controlling access to subentries. A more explicit mechanism is used to |
| specify ACIs specifically for protecting subentries. ApacheDS uses the |
| multivalued operational attribute, *subentryACI*, within administrative |
| entries to control access to immediately subordinate subentries. |
| |
| Protection policies for ACIs themselves can be managed within the entry of |
| an administrative point. |
| |