Penrose 0.9.8 Access Control
The access control instruction (ACI) can be defined in the conf/mapping.xml.
<entry dn="ou=users,dc=example,dc=com"> ... <aci subject="..."> <dn>...</dn> <target>...</target> <attributes>...</attributes> <scope>...</scope> <action>...</action> <permission>...</permission> </aci> </entry>
Subject
ACI's subject determines to which entity the ACI is applicable.
| Subject | Description |
|---|---|
| anybody | Anybody (default) |
| anonymous | Unauthenticated users |
| authenticated | Authenticated users |
| self | User accessing his/her own entry |
| user | A specific user |
| group | Members of a specific group (not supported) |
The root user always has access to anything.
Distinguished Name
The <dn>...</dn> element is only required when the subject is set to "user" or "group". The value is the DN of the user or group.
Target
ACI's target determines whether the ACI is applied to the entire object or only to some attributes.
| Target | Description |
|---|---|
| OBJECT | The entry where the ACI is defined (default) |
| ATTRIBUTES | The entry's attributes where the ACI is defined (not supported) |
Attributes
The <attributes>...</attributes> is only required when the target is set to ATTRIBUTES.
Scope
ACI's scope determines whether the ACI will be propagated to the decendants.
| Scope | Description |
|---|---|
| SUBTREE | The ACI will affect the subtree based on this entry (default) |
| OBJECT | The ACI will affect this entry only |
Action
ACI's action determines whether to grant/deny the permissions.
| Action | Description |
|---|---|
| grant | Granting permission (default) |
| deny | Denying permission |
Permission
ACI's permission determines the type of operation being granted/denied.
| Permission | Description |
|---|---|
| r | Permission to read this entry |
| w | Permission to modify this entry |
| s | Permission to search this entry |
| a | Permission to add a child entry |
| d | Permission to delete this entry |
Evaluation
ACI's are evaluated starting from the target entry, then moving up to the root entry. Within an entry, the ACI's are evaluated in the order they are defined, from top to bottom. The evaluation stops as soon as it finds an ACI that explicitly grants/denies permission for the subject.
Examples
To allow anybody to read and search the entire directory, add the following ACI at the root node:
<entry dn="dc=example,dc=com">
....
<aci>
<permission>rs</permission>
</aci>
</entry>
In the following example, the ACI denies anonymous read and search access to a particular subtree while still allowing read and search access for everybody else because it was inherited from the previous example.
<entry dn="ou=private,dc=example,dc=com"> .... <aci subject="anonymous"> <action>deny</action> <permission>rs</permission> </aci> </entry>