An Administrative Point is an entry which is defining a starting point from which some of the four existing administrative roles will span. It‘s important to understand than an Administrative Point (or AP) comes hand in hand with the associated Subentries, otherwise it’s useless.
Any entry can be defined as an AP.
In the following schema, we have depicted a DIT with three APs, the big one being an AAP, the blue one is a SAP and the green one is an IAP. They all define an area on which they are active and the dashed lines for the IAP are used to express the fact that an entry within the IAP area still depends on the higher AAP.
Directly under an AP, we will find some Subentries defining the scopes on which they are active. These scopes (one per subentry) are called SubtreeSpecification, and define the entries that can be handled by the role the Subentry is defined for.
The schema shows the relation between the AP and one SubEntry :
We will describe the types of Administrative Points we are managing and the way they impact their associated Administrative Areas (AA)
We have three different kind of AP :
Those three different APs are related with each other in this way :
AP are managing some administrative aspect, defined by a role :
Once we have defined an AP, we can add some subentries which contain the description of the administrative actions, including :
The SubtreeSpecification can be complex. Its grammar is given below :
<subtreeSpecification> ::= '{' <sps-e> <subtreeSpecificationComponent-e>'}' <subtreeSpecificationComponent-e> ::= <subtreeSpecificationComponent> <sps-e> <subtreeSpecificationComponent-list> | e <subtreeSpecificationComponent-list> ::= ',' <sps-e> <subtreeSpecificationComponent> <sps-e> <subtreeSpecificationComponent-list> | e <subtreeSpecificationComponent> ::= 'base' <sps> DN | 'specificExclusions' <sps> '{' <sps-e> <specificExclusion-e> '}' | 'minimum' <sps> INTEGER | 'maximum' <sps> INTEGER | 'specificationFilter' <sps> <refinement-filter> <specificExclusion-e> ::= <specificExclusion> <sps-e> <specificExclusion-list> | e <specificExclusion-list> ::= ',' <sps-e> <specificExclusion> <sps-e> <specificExclusion-list> | e <specificExclusion> ::= 'chopBefore' <sps-e> ':' <sps-e> DN | 'chopAfter' <sps-e> ':' <sps-e> DN <refinement-filter> ::= <refinement> | FILTER <refinement> ::= 'item' <sps-e> ':' <sps-e> <oid> | 'and' <sps-e> ':' <sps-e> '{' <sps-e> <refinement-e> '}' | 'or' <sps-e> ':' <sps-e> '{' <sps-e> <refinement-e> '}' | 'not' <sps-e> ':' <sps-e> <refinement> <refinement-e> ::= <refinement> <sps-e> <refinement-list> | e <refinement-list> ::= ',' <sps-e> <refinement> <sps-e> <refinement-list> | e <oid> ::= DESCR | NUMERICOID <sps> ::= ' ' <sps-e> <sps-e> ::= ' ' <sps-e> | e
Some exemple of such subtrees :
select all the entries below the AdministrativePoint entry :
{}
select all the entries below the ou=users branch starting from the AdministrativePoint entry :
{ base "ou=users" }
** exclude all the entries below the “ou=groups” branch : **
{ specificExclusions { chopBefore:"ou=groups" } }