| | 1 | 20081103 elm EDIR/AUTHSERV Access Control |
| | 2 | |
| | 3 | See also: |
| | 4 | |
| | 5 | https://donnelly.alaska.edu/docs/LDAP/ALL__security |
| | 6 | https://donnelly.alaska.edu/docs/LDAP/ALL__security_account_admin |
| | 7 | |
| | 8 | Because EDIR/AUTHSERV are comprised of a loosely coupled set of CGI scripts (the web |
| | 9 | pages), stored procedures and batch processes (the Oracle registry) and iPlanet directory, |
| | 10 | restrictions on access control are implemented in a number of ways. |
| | 11 | |
| | 12 | ## Directory ACIs and Schema ## |
| | 13 | |
| | 14 | The primary mechanism for restricting access are the iPlanet directory ACIs. Those ACIs |
| | 15 | dictate who may READ, WRITE, SEARCH and COMPARE directory data. No matter what mechanism |
| | 16 | is used to access directory data, the underlying ACIs limit what is possible. |
| | 17 | |
| | 18 | However, the directory ACIs as currently established do not cover all functions resulting |
| | 19 | in directory updates. For instance, there are currently no ACIs that make it possible for |
| | 20 | a credentialed user to create a directory record whether it be a guest or resource account, |
| | 21 | routing or department record, or group record. Until such time as sufficiently restrictive |
| | 22 | ACIs are created, the Directory Manager credentials are utilized to perform select functions. |
| | 23 | |
| | 24 | The directory schema also plays a role in access control. No data can be injected into or |
| | 25 | updated in the directory unless the attribute/object being referenced is defined in the |
| | 26 | directory schema. |
| | 27 | |
| | 28 | |
| | 29 | ## EDIRrole Attribute and iPlanet Roles ## |
| | 30 | |
| | 31 | EDIRrole is a locally defined attribute used in the definition of iPlanet roles which in |
| | 32 | turn are used to scope directory ACIs. Each EDIRrole is associated with a specific type of |
| | 33 | administrative access; the ability to reset passwords, create guest accounts, update |
| | 34 | department records, etc. EDIRrole values are in some cases also used to scope a type of |
| | 35 | access (ability to update some department records but not others). |
| | 36 | |
| | 37 | NOTE: EDIRrole grants are managed via normal administrative channels (ZUAUSR). |
| | 38 | |
| | 39 | |
| | 40 | ## Web Gateway CGI Scripts ## |
| | 41 | |
| | 42 | In addition to being used in the definition of iPlanet roles which are in turn used to |
| | 43 | scope directory ACIs, EDIRrole grants are utilized by the EDIR/AUTHSERV web gateway CGI |
| | 44 | scripts to control access to (display of) various web pages. This allows the web pages to |
| | 45 | reject access upfront without first attempting an action in the directory. |
| | 46 | |
| | 47 | Having a web page check EDIRrole grants prior to performing an action is particularly |
| | 48 | important for those pages that rely on Directory Manager credentials rather than the |
| | 49 | credentials of the users requesting the action. Only individuals granted a particular |
| | 50 | EDIRrole are allowed to trigger the execution of restricted functions performed by |
| | 51 | Directory Manager. |
| | 52 | |
| | 53 | Web gateway CGI scripts also rely on a special mapping of directory attributes that |
| | 54 | determine whether or not a particular attribute will be presented in an update page. This |
| | 55 | helps to reduce the number of complaints by users that say "I tried to change <blah> but I |
| | 56 | got an error saying I did have the authority to make the change". |
| | 57 | |
| | 58 | |
| | 59 | ## Update Back End ## |
| | 60 | |
| | 61 | All updates of self service attributes are ultimately processed by a back end web site |
| | 62 | designed for the sole purpose of processing update requests. That update back end, which is |
| | 63 | closest to directory data, also utilizes EDIRrole grants to limit access to restricted |
| | 64 | functions. This insures that even if a particular web page fails to limit access, the back |
| | 65 | end processes requests only from users with the authority to make the request. |
| | 66 | |
| | 67 | Being closest to the directory data, the update back end is one of two points at which |
| | 68 | business rules are most appropriately enforced and is therefore a mechanism for restricting |
| | 69 | access. The other point where business rules are appropriately enforced is the Oracle registry. |
| | 70 | |
| | 71 | |
| | 72 | ## Oracle Registry ## |
| | 73 | |
| | 74 | The Oracle registry is the primary mechanism by which business rules are enforced during |
| | 75 | directory updates and is therefore a mechanism for restricting access. During the two |
| | 76 | step update process for self service directory attributes, attribute changes are first |
| | 77 | submitted to the Oracle registry. If during the enforcement of business rules the update |
| | 78 | is rejected, then no further action is taken and the update is denied. |
| | 79 | |
| | 80 | In September of 2008, three attributes were excluded from the process of two step updates |
| | 81 | and so now bypass the Oracle registry: uakUserPassword, uakSecQuestion and uakSecResponse. |
| | 82 | The business rules formerly enforced by the Oracle registry are now enforced via the update |
| | 83 | back end (see note above). |
| | 84 | |
| | 85 | ####################### |
| | 86 | DOCUMENT CHANGE HISTORY |
| | 87 | |
| | 88 | 20081031 elm corrected typo |
| | 89 | 20081103 elm added "See also:" with links to other security related docs |
| | 90 | |
| | 91 | #eof |