Changes between Version 2 and Version 3 of ALL__security_access_control


Ignore:
Timestamp:
11/20/14 15:21:41 (9 years ago)
Author:
lttoth@…
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • ALL__security_access_control

    v2 v3  
    44See also: 
    55 
    6         https://donnelly.alaska.edu/docs/LDAP/ALL__security 
    7         https://donnelly.alaska.edu/docs/LDAP/ALL__security_account_admin 
     6        [[ALL__security| Directory Related Security]][[br]] 
     7        [[ALL__security_account_admin| Directory Account Administration ]] 
    88 
    99Because EDIR/AUTHSERV are comprised of a loosely coupled set of CGI scripts (the web  
     
    1111restrictions on access control are implemented in a number of ways.    
    1212 
    13 ## Directory ACIs and Schema ## 
     13== Directory ACIs and Schema == 
    1414 
    1515The primary mechanism for restricting access are the iPlanet directory ACIs.  Those ACIs  
    16 dictate who may READ, WRITE, SEARCH and COMPARE directory data.  No matter what mechanism  
    17 is used to access directory data, the underlying ACIs limit what is possible. 
     16dictate who may READ, WRITE, SEARCH and COMPARE directory data.  No matter what mechanism is used to access directory data, the underlying ACIs limit what is possible. 
    1817 
    1918However, the directory ACIs as currently established do not cover all functions resulting  
     
    2827 
    2928 
    30 ## EDIRrole Attribute and iPlanet Roles ## 
     29== EDIRrole Attribute and iPlanet Roles == 
    3130 
    3231EDIRrole is a locally defined attribute used in the definition of iPlanet roles which in  
     
    3635access (ability to update some department records but not others). 
    3736 
    38 NOTE: EDIRrole grants are managed via normal administrative channels (ZUAUSR). 
     37''NOTE:'' EDIRrole grants are managed via normal administrative channels (ZUAUSR). 
    3938 
    40  
    41 ## Web Gateway CGI Scripts ## 
     39== Web Gateway CGI Scripts == 
    4240 
    4341In addition to being used in the definition of iPlanet roles which are in turn used to  
     
    5856 
    5957 
    60 ## Update Back End ## 
     58== Update Back End == 
    6159 
    6260All updates of self service attributes are ultimately processed by a back end web site  
     
    7068access.  The other point where business rules are appropriately enforced is the Oracle registry. 
    7169 
    72  
    73 ## Oracle Registry ## 
     70== Oracle Registry == 
    7471 
    7572The Oracle registry is the primary mechanism by which business rules are enforced during  
     
    8178In September of 2008, three attributes were excluded from the process of two step updates 
    8279and so now bypass the Oracle registry: uakUserPassword, uakSecQuestion and uakSecResponse.   
    83 The business rules formerly enforced by the Oracle registry are now enforced via the update  
    84 back end (see note above). 
     80The business rules formerly enforced by the Oracle registry are now enforced by a separate application, ELMO. 
    8581 
    8682########################################################[[br]] 
     
    908620081031 elm    corrected typo 
    918720081103 elm    added "See also:" with links to other security related docs 
    92  
    93 #eof