(2) add marker class and attributes to dc=jesswitch,dc=com
objectclass:sunManagedOrganization
objectclass:organization
o:jesswitch
objectclass:sunNameSpace sunNameSpaceUniqueAttrs:o,sunPreferredDomain,associatedDomain,sunOrganization
objectclass:sunISManagedOrganization
sunOrganizationAlias:v1280-137-06.mdelabs-mpk.com
inetDomainStatus:Active
sunRegisteredServiceName:iPlanetAMAuthService
sunRegisteredServiceName:iPlanetAMAuthLDAPService
sunRegisteredServiceName:iPlanetPolicyConfigService
sunRegisteredServiceName:iPlanetAMAuthenticationDomainConfigService
sunRegisteredServiceName:iPlanetAMProviderConfigService
(3) assign proxy permission account(cn=puser) to access dc=jesswitch,dc=com
it is done
aci: (target="ldap:///dc=jesswitch,dc=com")(targetattr="*")(version 3.0; acl "
S1IS Proxy user rights"; allow (proxy) userdn = "ldap:///cn=puser,ou=DSAME U
sers,dc=jesswitch,dc=com"; )
(4) assign all permission to account(cn=dsameuser) to access dc=jesswitch,dc=com
it is done by creating an aci
aci: (target="ldap:///dc=jesswitch,dc=com")(targetattr="*")(version 3.0; acl "
S1IS special dsame user rights for all under the root suffix"; allow (all) u
serdn = "ldap:///cn=dsameuser,ou=DSAME Users,dc=jesswitch,dc=com"; )
(5) assign read & search persmission for account amldapuser to access dc=jesswitch,dc=com
aci: (target="ldap:///dc=jesswitch,dc=com")(targetattr="*")(version 3.0; acl "
S1IS special ldap auth user rights"; allow (read,search) userdn = "ldap:///c
n=amldapuser,ou=DSAME Users,dc=jesswitch,dc=com"; )
(6) deny write permission to cn=amldapuser attributes for those users who
do not have cn=Top-level Admin Role
aci: (target="ldap:///cn=amldapuser,ou=DSAME Users,dc=jesswitch,dc=com")(targe
tattr = "*") (version 3.0; acl "S1IS special ldap auth user modify right"; d
eny (write) roledn != "ldap:///cn=Top-level Admin Role,dc=jesswitch,dc=com";
)
(7) assign all permissions to users with cn=Top-level Admin Role for dc=jesswitch,dc=com
aci: (target="ldap:///dc=jesswitch,dc=com")(targetattr="*")(version 3.0; acl "
S1IS Top-level admin rights"; allow (all) roledn = "ldap:///cn=Top-level Adm
in Role,dc=jesswitch,dc=com"; )
(8) deny delete permissions to anonymous users to cn=Top-level Admin Role for any attributes
aci: (target="ldap:///cn=Top-level Admin Role,dc=jesswitch,dc=com")(targetattr
="*")(version 3.0; acl "S1IS Top-level admin delete right denied"; deny (del
ete) userdn = "ldap:///anyone"; )
(9) deny all permisions to users without cn=Top-level
Admin Role, cn=dsameuser, cn=puser for iplanet-am-saml-user and iplanet-am-saml-password attributes of all iplanet-am-saml-service
since there is no target defined, access control applies to entire
entries
aci: (targetattr="iplanet-am-saml-user || iplanet-am-saml-password")(targetfil
ter="(objectclass=iplanet-am-saml-service)")(version 3.0; acl "S1IS Right to
modify saml user and password"; deny (all) (roledn != "ldap:///cn=Top-level
Admin Role,dc=jesswitch,dc=com") AND (userdn != "ldap:///cn=dsameuser,ou=DS
AME Users,dc=jesswitch,dc=com") AND (userdn != "ldap:///cn=puser,ou=DSAME Us
ers,dc=jesswitch,dc=com"); )
(10) deny all attribute delete permission for All users dc=jesswitch,dc=com
aci: (target="ldap:///dc=jesswitch,dc=com")(targetfilter=(entrydn=dc=jesswitch
,dc=com))(targetattr="*")(version 3.0; acl "S1IS Default Organization delete
right denied"; deny (delete) userdn = "ldap:///anyone"; )
(11) assign all attribute read, search permissions to cn=Top-level Help Desk Admin Role for entries under dc=jesswitch,dc=com but entries does not have
nsroledn=cn=Top-level Admin Role,dc=jesswitch,dc=com
aci: (target="ldap:///dc=jesswitch,dc=com")(targetfilter=(!(nsroledn=cn=Top-le
vel Admin Role,dc=jesswitch,dc=com)))(targetattr = "*") (version 3.0; acl "S
1IS Top-level Help Desk Admin Role access allow"; allow (read,search) roledn
= "ldap:///cn=Top-level Help Desk Admin Role,dc=jesswitch,dc=com";)
(12) assign userPassword attribute write permission to cn=Top-level Help Desk Admin Role for all entries under dc=jesswitch,dc=com but entries do not have
nsroledn=cn=Top-level Admin Role,dc=jesswitch,dc=com
aci: (target="ldap:///dc=jesswitch,dc=com")(targetfilter=(!(nsroledn=cn=Top-le
vel Admin Role,dc=jesswitch,dc=com)))(targetattr = "userPassword") (version
3.0; acl "S1IS Top-level Help Desk Admin Role access allow"; allow (write) r
oledn = "ldap:///cn=Top-level Help Desk Admin Role,dc=jesswitch,dc=com";)
(13) assign all attribute read, search permissions to cn=Top-level Policy Admin Role for all entries under dc=jesswitch,dc=com but entries does not have nsroledn=cn=Top-
level Admin Role,dc=jesswitch,dc=com)
aci: (target="ldap:///dc=jesswitch,dc=com")(targetfilter=(!(|(nsroledn=cn=Top-
level Admin Role,dc=jesswitch,dc=com))))(targetattr = "*") (version 3.0; acl
"S1IS Top-level Policy Admin Role access allow"; allow (read,search) roledn
= "ldap:///cn=Top-level Policy Admin Role,dc=jesswitch,dc=com";)
(14) deny all attribute add,write, delete permissions to cn=Top-level Policy Admin Role ou=iPlanetAMAuthService,ou=services,*dc=jesswitch,dc=com
aci: (target="ldap:///ou=iPlanetAMAuthService,ou=services,*dc=jesswitch,dc=com
")(targetattr = "*") (version 3.0; acl "S1IS Top-level Policy Admin Role acc
ess Auth Service deny"; deny (add,write,delete) roledn = "ldap:///cn=Top-lev
el Policy Admin Role,dc=jesswitch,dc=com";)
(15) assign all attribute permissions to cn=Top-level Policy Admin Role for all
ou=services,*dc=jesswitch,dc=com
aci: (target="ldap:///ou=services,*dc=jesswitch,dc=com")(targetattr = "*") (ve
rsion 3.0; acl "S1IS Top-level Policy Admin Role access allow"; allow (all)
roledn = "ldap:///cn=Top-level Policy Admin Role,dc=jesswitch,dc=com";)
(16) assign "sunRegisteredServiceName" attribute read,write,search permissions to cn=Top-level Policy Admin Role for entries under dc=jesswitch,dc=com which has objectclass=sunismanagedorganization
aci: (target="ldap:///dc=jesswitch,dc=com")(targetfilter="(objectclass=sunisma
nagedorganization)")(targetattr = "sunRegisteredServiceName") (version 3.0;
acl "S1IS Top-level Policy Admin Role access allow"; allow (read,write,searc
h) roledn = "ldap:///cn=Top-level Policy Admin Role,dc=jesswitch,dc=com";)
(17) assign read,search,compare permissions to anonymous users to entire
entries whoes attributes are not userPassword || passwordHistory || passwordExpirationTime || passwordExpWarned || passwordRetryCount || retryCountResetTime || accountUnlockTime || passwordAllowChangeTime
aci: (targetattr != "userPassword || passwordHistory || passwordExpirationTime
|| passwordExpWarned || passwordRetryCount || retryCountResetTime || accoun
tUnlockTime || passwordAllowChangeTime ") (version 3.0; acl "Anonymous acces
s"; allow (read, search, compare)userdn = "ldap:///anyone";)
(18) deny self delete permission to users for entire entires and all attributes
aci: (targetattr = "*")(version 3.0; acl "S1IS Deny deleting self"; deny (dele
te) userdn ="ldap:///self";)
(19)deny self write permission to attributes below except entries with
cn=Top-level Admin Role
aci: (targetattr = "objectclass || inetuserstatus || iplanet-am-user-login-sta
tus || iplanet-am-web-agent-access-allow-list || iplanet-am-domain-url-acces
s-allow || iplanet-am-web-agent-access-deny-list || iplanet-am-user-account-
life || iplanet-am-session-max-session-time || iplanet-am-session-max-idle-t
ime || iplanet-am-session-get-valid-sessions || iplanet-am-session-destroy-s
essions || iplanet-am-session-add-session-listener-on-all-sessions || iplane
t-am-user-admin-start-dn || iplanet-am-auth-post-login-process-class")(targe
tfilter=(!(nsroledn=cn=Top-level Admin Role,dc=jesswitch,dc=com)))(version 3
.0; acl "S1IS User status self modification denied"; deny (write) userdn ="l
dap:///self";)
(20) assign self write permissions to entire entries except the attributes
below
aci: (targetattr != "iplanet-am-static-group-dn || uid || nsroledn || aci || n
sLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || memberOf
|| iplanet-am-web-agent-access-allow-list || iplanet-am-domain-url-access-a
llow || iplanet-am-web-agent-access-deny-list")(version 3.0; acl "S1IS Allow
self entry modification except for nsroledn, aci, and resource limit attrib
utes"; allow (write)userdn ="ldap:///self";)
(21)assign self read, search permissions exception attributes below
aci: (targetattr != "aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit |
| nsIdleTimeout || iplanet-am-domain-url-access-allow")(version 3.0; acl "S1
IS Allow self entry read search except for nsroledn, aci, resource limit and
web agent policy attributes"; allow (read,search)userdn ="ldap:///self";)
(22) assign anonymous read,search,compare permissions to
ou=services,dc=jesswitch,dc=com but not those entries with
objectclass=sunServiceComponent
aci: (target="ldap:///ou=services,dc=jesswitch,dc=com")(targetfilter=(!(object
class=sunServiceComponent)))(targetattr = "*")(version 3.0; acl "S1IS Servic
es anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone
";)
(23) assign anonymous read,search,compare access to ou=iPlanetAMAdminConsoleService
all attributes
aci: (target="ldap:///ou=iPlanetAMAdminConsoleService,*,dc=jesswitch,dc=com")(
targetattr = "*")(version 3.0; acl "S1IS iPlanetAMAdminConsoleService anonym
ous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
(24) assign all permissions to cn=Organization Admin Role to entries
($dn),dc=jesswitch,dc=com and enties do no have
(nsroledn=cn=Top-level Admin Role,dc=jesswitch,dc=com)(nsroledn=cn=Top-level Help DeskAdmin Role,dc=jesswitch,dc=com)(nsroledn=cn=Top-level Policy Admin Role,dc=j
esswitch,dc=com) and not nsroledn attribute
aci: (target="ldap:///($dn),dc=jesswitch,dc=com")(targetfilter=(!(|(nsroledn=c
n=Top-level Admin Role,dc=jesswitch,dc=com)(nsroledn=cn=Top-level Help Desk
Admin Role,dc=jesswitch,dc=com)(nsroledn=cn=Top-level Policy Admin Role,dc=j
esswitch,dc=com))))(targetattr != "nsroledn")(version 3.0; acl "S1IS Organiz
ation Admin Role access allow all"; allow (all) roledn = "ldap:///cn=Organiz
ation Admin Role,[$dn],dc=jesswitch,dc=com";)
(25) deny all attribute write,add,delete,compare,proxy permissions
to cn=Organization Admin Role,($dn),dc=jesswitch,dc=com
cn=Organization Admin Role,($dn),dc=jesswitch,dc=com
aci: (target="ldap:///cn=Organization Admin Role,($dn),dc=jesswitch,dc=com")(t
argetattr="*")(version 3.0; acl "S1IS Organization Admin Role access deny";
deny (write,add,delete,compare,proxy) roledn = "ldap:///cn=Organization Admi
n Role,($dn),dc=jesswitch,dc=com";)
(26)
aci: (target="ldap:///($dn),dc=jesswitch,dc=com")(targetfilter=(!(|(nsroledn=c
n=Top-level Admin Role,dc=jesswitch,dc=com)(nsroledn=cn=Top-level Help Desk
Admin Role,dc=jesswitch,dc=com)(nsroledn=cn=Top-level Policy Admin Role,dc=j
esswitch,dc=com))))(targetattr != "nsroledn")(version 3.0; acl "S1IS Contain
er Admin Role access allow"; allow (all) roledn = "ldap:///cn=Container Admi
n Role,[$dn],dc=jesswitch,dc=com";)
(27)
aci: (target="ldap:///cn=Container Admin Role,($dn),dc=jesswitch,dc=com")(targ
etattr="*")(version 3.0; acl "S1IS Container Admin Role access deny"; deny (
write,add,delete,compare,proxy) roledn = "ldap:///cn=Container Admin Role,($
dn),dc=jesswitch,dc=com";)
(28)
aci: (target="ldap:///dc=jesswitch,dc=com")(targetattr!="nsroledn")(version 3.
0; acl "S1IS Group admin's right to the users he creates"; allow (all) usera
ttr = "iplanet-am-modifiable-by#ROLEDN";)
(29)
aci: (target="ldap:///dc=jesswitch,dc=com")(targetfilter=(!(|(nsroledn=cn=Top-
level Admin Role,dc=jesswitch,dc=com)(nsroledn=cn=Top-level Help Desk Admin
Role,dc=jesswitch,dc=com)(nsroledn=cn=Top-level Policy Admin Role,dc=jesswit
ch,dc=com)(nsroledn=cn=Organization Admin Role,dc=jesswitch,dc=com))))(targe
tattr = "*") (version 3.0; acl "S1IS Organization Help Desk Admin Role acces
s allow"; allow (read,search) roledn = "ldap:///cn=Organization Help Desk Ad
min Role,dc=jesswitch,dc=com";)
(30)
aci: (target="ldap:///dc=jesswitch,dc=com")(targetfilter=(!(|(nsroledn=cn=Top-
level Admin Role,dc=jesswitch,dc=com)(nsroledn=cn=Top-level Help Desk Admin
Role,dc=jesswitch,dc=com)(nsroledn=cn=Top-level Policy Admin Role,dc=jesswit
ch,dc=com)(nsroledn=cn=Organization Admin Role,dc=jesswitch,dc=com))))(targe
tattr = "userPassword") (version 3.0; acl "S1IS Organization Help Desk Admin
Role access allow"; allow (write) roledn = "ldap:///cn=Organization Help De
sk Admin Role,dc=jesswitch,dc=com";)
(31)
aci: (target="ldap:///ou=People,dc=jesswitch,dc=com")(targetfilter=(!(|(nsrole
dn=cn=Top-level Admin Role,dc=jesswitch,dc=com)(nsroledn=cn=Top-level Help D
esk Admin Role,dc=jesswitch,dc=com)(nsroledn=cn=Top-level Policy Admin Role,
dc=jesswitch,dc=com)(nsroledn=cn=Organization Admin Role,dc=jesswitch,dc=com
)(nsroledn=cn=Container Admin Role,dc=jesswitch,dc=com))))(targetattr != "ip
lanet-am-web-agent-access-allow-list || iplanet-am-domain-url-access-allow |
| iplanet-am-web-agent-access-deny-list || nsroledn") (version 3.0; acl "S1I
S Group and people container admin role"; allow (all) roledn = "ldap:///cn=o
u=People_dc=jesswitch_dc=com,dc=jesswitch,dc=com";)
(32)
aci: (targetattr = "*")(version 3.0; acl "S1IS Deny write to anonymous user";
deny (add,write,delete) roledn ="ldap:///cn=Deny Write Access,dc=jesswitch,d
c=com";)
(33) add o=Internet,dc=jesswitch,dc=com entry with marker class
changes=objectClass: top
objectClass: organization
o: Internet
(34) add cn=Deny Write Access,dc=jesswitch,dc=com role
cn=Top-level Admin Role,dc=jesswitch,dc=com role
cn=Top-level Help Desk Admin Role,dc=jesswitch,dc=com role
cn=Top-level Policy Admin Role,dc=jesswitch,dc=com
(35) add ou=People,dc=jesswitch,dc=com people container
(36) add cn=ou=People_dc=jesswitch_dc=com,dc=jesswitch,dc=com
people container admin role
(37) ou=Groups,dc=jesswitch,dc=com
cn=puser,ou=DSAME Users,dc=jesswitch,dc=com
cn=dsameuser,ou=DSAME Users,dc=jesswitch,dc=com
cn=amldapuser,ou=DSAME Users,dc=jesswitch,dc=com
uid=amAdmin,ou=People,dc=jesswitch,dc=com
with nsRoleDN: cn=Top-level Admin Role,dc=jesswitch,dc=com
uid=anonymous,ou=People,dc=jesswitch,dc=com
with nsRoleDN: cn=Deny Write Access,dc=jesswitch,dc=com
cn=amService-UrlAccessAgent,ou=DSAME Users,dc=jesswitch,dc=com
(38)
cn=ContainerDefaultTemplateRole,dc=jesswitch,dc=com
(39)
ou=ClientData,dc=jesswitch,dc=com
ou=SunAMClientData,ou=ClientData,dc=jesswitch,dc=com
ou=1.0,ou=SunAMClientData,ou=ClientData,dc=jesswitch,dc=com
(40) ou=services,dc=jesswitch,dc=com
ou=DAI,ou=services,dc=jesswitch,dc=com
ou=GlobalConfig,ou=1.0,ou=DAI,ou=services,dc=jesswitch,dc=com
ou=PluginConfig,ou=1.0,ou=DAI,ou=services,dc=jesswitch,dc=com
ou=Instances,ou=1.0,ou=DAI,ou=services,dc=jesswitch,dc=com
ou=default,ou=GlobalConfig,ou=1.0,ou=DAI,ou=services,dc=jesswitch,dc=com
ou=FilteredRole,ou=default,ou=GlobalConfig,ou=1.0,ou=DAI,ou=services,dc=jesswitch,dc=com
sunkeyvalue: searchtemplatename=BasicFilteredRoleSearch
sunkeyvalue: objectclass=iplanet-am-managed-filtered-role
sunkeyvalue: creationtemplatename=BasicFilteredRole
targetDn=ou=PeopleContainer,ou=default,ou=GlobalConfig,ou=1.0,ou=DAI,ou=services,dc=jesswitch,dc=com
sunkeyvalue: objectclass=iplanet-am-managed-people-container
sunkeyvalue: creationtemplatename=BasicPeopleContainer
sunkeyvalue: searchtemplatename=BasicPeopleContainerSearch
ou=Agent,ou=default,ou=GlobalConfig,ou=1.0,ou=DAI,ou=services,dc=jesswitch,dc=com
sunkeyvalue: searchtemplatename=BasicAgentSearch
sunkeyvalue: servicename=iPlanetAMAgentService
sunkeyvalue: type=100
sunkeyvalue: creationtemplatename=BasicAgent
sunkeyvalue: statusattribute=sunIdentityServerDeviceStatus
sunkeyvalue: parentcontainertype=3
sunkeyvalue: objectclass=sunIdentityServerDevice
sunkeyvalue: parentcontainerdn=agents
ou=AssignableDynamicGroup,ou=default,ou=GlobalConfig,ou=1.0,ou=DAI,ou=services,dc=jesswitch,dc=com
sunkeyvalue: creationtemplatename=BasicAssignableDynamicGroup
sunkeyvalue: searchtemplatename=BasicAssignableDynamicGroupSearch
sunkeyvalue: parentcontainerdn=groups
sunkeyvalue: type=12
sunkeyvalue: objectclass=iplanet-am-managed-assignable-group
sunkeyvalue: parentcontainertype=4
ou: AssignableDynamicGroup
ou=Client,ou=default,ou=GlobalConfig,ou=1.0,ou=DAI,ou=services,dc=jesswitch,dc=com
sunkeyvalue: searchtemplatename=BasicClientSearch
sunkeyvalue: creationtemplatename=BasicClient
ou=templates,ou=default,ou=GlobalConfig,ou=1.0,ou=DAI,ou=services,dc=jesswitch,dc=com
ou=StructureTemplates,ou=templates,ou=default,ou=GlobalConfig,ou=1.0,ou=DAI,ou=services,dc=jesswitch,dc=com
ou=GroupContainer,ou=StructureTemplates,ou=templates,ou=default,ou=GlobalConfig,ou=1.0,ou=DAI,ou=services,dc=jesswitch,dc=com
sunserviceid: StructureUmsObjects
sunkeyvalue: priority=0
sunkeyvalue: class=com.iplanet.ums.OrganizationalUnit
sunkeyvalue: name=ou=Groups
sunkeyvalue: filter=(objectClass=iplanet-am-managed-group-container)
sunkeyvalue: template=BasicGroupContainer
ou=DPOrgPolicyAdminRole,ou=StructureTemplates,ou=templates,ou=default,ou=GlobalConfig,ou=1.0,ou=DAI,ou=services,dc=jesswitch,dc=com
sunserviceid: StructureUmsObjects
sunkeyvalue: filter=(cn=Organization Policy Admin Role)
sunkeyvalue: template=Organization Policy Admin Role
sunkeyvalue: name=cn=Organization Policy Admin Role
sunkeyvalue: class=com.iplanet.ums.ManagedRole
ou=PeopleContainer,ou=StructureTemplates,ou=templates,ou=default,ou=GlobalConfig,ou=1.0,ou=DAI,ou=services,dc=jesswitch,dc=com
objectClass: sunServiceComponent
sunserviceid: StructureUmsObjects
sunkeyvalue: template=BasicPeopleContainer
sunkeyvalue: name=ou=People
sunkeyvalue: priority=0
sunkeyvalue: filter=(ou=People)
sunkeyvalue: class=com.iplanet.ums.PeopleContainer
No comments:
Post a Comment