Versions Compared

Old Version 1

changes.mady.by.user Ersin Er

Saved on

compared with

New Version Current

changes.mady.by.user Ersin Er

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

Panel
titleSection 18.4.2.5 Determining group membership (b)

In order to determine whether the requestor is a member of a userGroup user class, the following criteria apply:

  • The entry named by the userGroup specification shall be an instance of the object class groupOfNames or groupOfUniqueNames.
  • The name of the requestor shall be a value of the member or uniqueMember attribute of that entry.

User Class: subtree

Here the user class specification construct is a subtree specification without a refinement filter. Such a specification is simple yet very powerful. The subtree defines a collection of entries. During ACI evaluation, ApacheDS will check to see if the requestor's DN is included by this collection.

...

No Format
{ identificationTag "deleteAci"
  precedence 255,
  authenticationLevel simple,
  itemOrUserFirst userFirst: 
    {
      userClasses 
        { 
           thisEntry, 
           name { "uid=jbean,ou=users,ou=system" }, 
           name { "uid=jdoe,ou=users,ou=system" }, 
           userGroup { "cn=Administrators,ou=groups,ou=system" } 
        },
      userPermissions { { protectedItems {entry}, grantsAndDenials { grantRemove } } } 
    } 
}