Version:

MarketplaceSupport

Overview

When RadiantOne receives a request, it uses the user in the bind operation, and the access control instructions (ACIs) defined in order to allow or deny access to directory information. The server can allow or deny permissions such as read, write, search, or compare.

With ACI, you can control access to targets such as:

  • the entire virtual namespace
  • a specific subtree
  • specific entries in the virtual namespace
  • a specific set of entry attributes
  • specific entry attribute values

You can define access to the following subjects:

  • a particular user
  • all users who belong to a specific group
  • all users of the directory

Access controls are managed from the Control Panel > Manage > Security > Access Control.

The general ACI syntax is as follows:

(TARGET_DN)(SCOPE)(ATTRIBUTES)(VERSION; ACI_NAME; ALLOW/DENY (OPERATIONS) SUBJECT;)

The following default ACIs are defined:

  • All users have read access to the directory for search, compare, and read operations.


(target="ldap:///")(targetscope="base")(targetattr="*")(version 3.0; acl "RootDSE accessible to public"; allow (read,search,compare) userdn="ldap:///anyone";)

  • Users in the group cn=directory administrators,ou=globalgroups,cn=config have full access to the RadiantOne configuration as it is equivalent to cn=directory manager access. However, unlike cn=directory manager, users in this Directory Administrators group are subject to ACIs when accessing data in the RadiantOne namespace.

Access controls defined in RadiantOne are associated with an objectclass named vdACI.


Access Control Terms & Definitions

ACI Description

Each access control instruction has a description which explains the context of the rule.

Location (Target DN)

The location is the target where the access control is to be applied and is a distinguished name.

Target Filter

You can add an LDAP filter condition on the target resource (location) to protect.

For example, you can define the target resource as: all the entries under dv=address book,o=vds that have the attribute securitylevel set to secret.

To create this example, from the Control Panel > Manage > Security > Access Control and click +ADD ACI. Browse to select the dv=address book,o=vds branch and enter the target filter. An example is shown below.

Setting Access Controls

Scope

The scope of an access control rule can be entry level (base), one level or subtree level. Entry level pertains to the single entry specified in the Target DN. One level pertains to the entry specified in the Target DN and all child branches one level below it. Subtree level pertains to the entry specified in the Target DN as well as all child branches below this point.

Example of Entry Level Access Control

Example of Sub Tree Level Access Control

Target Attributes

The rule can indicate “equal to” (=) or “not equal to” (!=). Select the desired condition in the drop-down list.

Target Attributes Operator

The access rule can apply to “all” attributes or choose the “custom” option and click SELECT to narrow the list.

By default, the root ACI prevents only the target attribute aci from being returned. This default ACI is shown below.

Manual Edit of ACI

To improve security, if you want to also prevent userpassword from being returned, you can do so as shown in the following example ACI. Click +ADD ACI on the ACCESS CONTROL tab and then switch to MANUAL EDIT MODE.

Manual Edit Mode

(targetattr != "aci || userPassword")(target = "ldap:///")(targetscope = "subtree")(version 3.0;acl "grant read access to anyone";allow (read,compare,search) (userdn = "ldap:///anyone");)

If you do not want to return the userPassword attribute for anyone other than self, you can do so as shown in the following example ACI. Click +ADD ACI on the ACCESS CONTROL tab and then switch to MANUAL EDIT MODE.

(targetattr = "userPassword")(target = "ldap:///")(targetscope = "subtree")(version 3.0;acl "Allow Access to userPassword to self";allow (all) (userdn = "ldap:///self");)

Authentication Context

The Authentication Context section offers settings related to days and times of the week during which the identity is allowed to access data.

Select the days of the week and enter time ranges which the access control instruction is applicable. Click add button to add the time range. Multiple time ranges per day are supported.

Permissions

If no access permissions have been defined, the default behavior is to grant read access to all attributes except “aci” to everyone. This default is set on the Control Panel > Manage > Security > Access Control > ACCESS CONTROL tab. Select the “root” node. Click Pencil inline with the "grant read access to anyone" ACL.

Default Global ACI Setting

Type

You can explicitly allow or deny access permissions by selecting the applicable option from the drop-down.

Permission Type

Operations

The specific operations a user can perform on directory data are defined below. You can allow or deny all operations, or you can assign one or more of the following:

All

Indicates that the subject has the following rights to the targeted entry: read, write, search, delete, compare, and selfwrite. The All access right does not give proxy permissions.

Example of the syntax to indicate all:

(targetattr = "homePhone")(target = "ldap:///dv=address book,o=vds")(targetfilter = "(securitylevel=secret)")(targetscope = "subtree")(version 3.0;acl "myaci";allow (all) (userdn = "ldap:///all");)

Read

Indicates whether users can read the directory entries and the attributes of entries specified in the ACI. This permission applies only to the search operation.

Search

Indicates whether users can search on the targets specified in the ACI. This permission applies only to the search operation. The Search right is checked once, and after the search is allowed or denied, it is not checked again. If the search is allowed, the read right is then applied to each entry to be returned as a result of the search and to each attribute of each entry.

Add

Indicates whether users can create entries.

Delete

Indicates whether users can delete entries.

Compare

Indicates whether users can compare data they supply in the request with data stored in the directory. With compare rights, the directory returns a success or failure message in response to an inquiry, but the user cannot see the value of the entry or attribute.

Write

Indicates whether users can modify an entry by adding, modifying, or deleting attributes. This permission applies to the modify and modRDN operations.

Self Write

Indicates whether users can add or delete their own DN in an attribute of the target group entry. The syntax of this attribute must be a distinguished name. This right is used only for group management. Self write works with proxy authorization: it grants the right to add or delete the proxy DN from the group entry (not the DN of the user from the Bind operation).

Proxy

Authorization for RadiantOne data is checked based on the user who authenticated. The authorization ID (DN) is linked to the authenticated ID (DN) for the same connection. With the proxy authorization control enabled, the client can switch the user ID (for authorization purposes) without having to re-authenticate with a new connection.

If there is the need to base authorization on a different user than the one who authenticated, you can use the proxy authorization control. This is primarily useful in environments where an application must authenticate many users and doesn’t want to maintain an open connection to RadiantOne for each of them. With this approach, the application can authenticate the user, and after, impersonate that user for authorization purposes. The application can use its own service account when connecting to RadiantOne and pass the needed control along with the user DN of the person they want to represent for authorization in their requests. RadiantOne then checks the proxy authorization rules that have been configured in access controls to make sure the service account is allowed to represent the person passed in their request. If so, the service account is allowed to perform any operations the person they are impersonating would be allowed to do.

The proxy option indicates whether the subject can access the target with the rights of another entry. You can grant proxy access using the DN of any user in the directory except the special cn=directory manager user. In addition, you cannot grant proxy rights to the cn=directory manager user. If the branch you are protecting with access controls is a RadiantOne Directory store, then this requires the Proxy Authorization control enabled for RadiantOne. Enable this from Control Panel > Global Settings > Client Protocols > LDAP.

Proxy Authorization Control

Subjects

A subject is whom the access control rule applies to. The subject types that can be associated with access control rules are described below:

  • Users – applicable to any specific user(s).
  • Groups – applicable to a group of users. If the group is a nested group in a RadiantOne Directory, navigate to Control Panel > Manage > Security > Access Control > GENERAL tab and toggle on: ENABLE NESTED GROUPS and configure Linked Attributes.
  • Tree Branch - Applicable to the DN specified as part of the subject and all entries below it in the virtual directory tree. The defined access permissions apply to any user found in the tree branch you choose.
  • Group Owner - applicable to the owner, manager, or role of the group. You can also define the target, scope, attributes and permissions using the Manual Edit Mode to refine the subject for this complex scenario. See below for an example:
(targetattr="*")(target="ldap:///o=My Company?manager,owner,role")(targetscope = "subtree")(version 3.0;acl "Group owner access only";allow (all)(userdn = "ldap:///self");)

The above ACI will dictate that: if the binding user is the "manager", or the "owner", or bearing the "role" of the targeted entity, then the binding user has the access to targeted entry; otherwise, the access is denied.
  • Public – anyone connected to the directory is considered public. This also includes anonymous users.
  • Self – applicable to the user whose authenticated DN matches the DN of the entry that is being accessed.
  • Authenticated – applicable to any user who successfully authenticates.
  • Parent – applicable to the entry only if their bind DN is the parent of the targeted entry. For example, to allow users to modify any child entries of their bind DN, create the following ACI using Manual Edit Mode on the dv=address book,o=vds node:
(targetattr = "*")(target = "ldap:///dv=address book,o=vds")(targetscope = "subtree")(version 3.0;acl "myaci";allow (write) (userdn = "ldap:///parent");)

ACI Evaluation Rules

The ACI evaluation rules that RadiantOne follows are:

  1. When the RadiantOne service starts, all ACIs defined in the entries below "ou=aggregate,ou=globalaci,cn=config" are loaded.

  2. To determine if an operation is allowed or denied, RadiantOne looks in the ACI list for the target of the operation to collect all target-matched aci values.

  3. RadiantOne separates the aci values into two lists; one list contains all the aci values that match the target and denies the required access, and the other list contains all the aci values that match the target and allows the required access.

  4. If the deny list contains any aci values after this procedure, access is immediately denied.

  5. If the deny list is empty, then the allow list is processed. If the allow list contains any aci values, access is allowed.

If both lists are empty, access is denied.

EOC Environment Logs


Setting Access Controls

To define access controls:

  1. From the Control Panel > Manage > Security > Access Control > GENERAL tab, toggle the ENABLE ACI option on and click SAVE.

  2. From the Control Panel > Manage > Security > Access Control > ACCESS CONTROL tab, select the Root.

  3. Click + ADD ACI. The Edit ACI pane is displayed.

  4. Click Browse to navigate to the target DN.

  5. Enter an ACI description.

  6. In the Target Scope drop-down list, select base, onelevel or subtree.

  7. For the Target Attributes, select either “equal to” (=) or “not equal to” (!=) from the drop-down list. Then choose to either have the access rule apply to “all” or “custom”. If custom is selected, click SELECT to narrow the list.

    If you choose custom, and your attribute doesn’t appear in the list, you must update the RadiantOne LDAP schema appropriately before setting the ACI. For details on this, please see Extending RadiantOne LDAP Schema. After the schema has been updated, go back to the Control Panel > Manage > Security > Access Control > ACCESS CONTROL tab and follow the steps mentioned above to add the custom attribute list.

  8. In the Target Filter, enter an applicable LDAP filter to narrow the entries affected by the access control rule. This step is optional.

  9. In the Permissions section, select the Type either to allow or deny.

  10. Select the operations that you want allowed or denied.

  11. In the Authentication Context section, configure a schedule as needed.

  12. In the Apply To section, select the subjects that will be allowed or denied access.

    To assign users, groups or users associated in a specific tree/branch, click + NEW next to SPECIFIC USERS. Enter the base DN, scope and filter to locate users, groups and or tree branches to apply the access control to. Click OK when finished.

    To assign public, toggle the PUBLIC option on.

    To assign self, toggle the SELF option on.

    To assign all authenticated users, toggle the AUTHENTICATED option on.

    To assign permissions associated with the parent, toggle the PARENT option on.

  13. Click SAVE when finished.

IN THIS PAGE