[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


Access Controls

Access Controls for the Entire Tree

A client who accesses the directory without binding to it does not have any access rights. All clients who bind with the credentials of an SRC component or an operator are members of the SSC-component-operator group and by default have the following access rights:

Clients binding with the Apache DN or a member of the WebAdmin group do have read and search permissions in the subtree o=Operators, o=umc:

Members of the WebAdmin group are allowed to administer the SAE through the SAE Web Administration pages.

The members of the SSC_Admin group and the super-administrator have access rights to the entire tree.


Figure 15: Access Rights for the UMC Tree

Access Controls Against Objects from Type
cachedAuthentication Profile and UmcConfiguration

The SAE binds as cn=ssp, ou=components, o=operators, o=umc against the directory and needs to have full access rights for the entries from the type object class cachedAuthenticationProfile and umcConfiguration.

It is easier to implement the cached entries through the targets of the two subtrees (o=AuthCache, o=umc and o=UserProfilesCache, o=umc).


Figure 16: Access Rights Against cachedAuthenticationProfile and umcConfiguration Objects

Access Controls Against sspServiceProfile

In addition to the previously discussed access rights, the SAE requires full access against objects from the tree sspServiceProfile.


Figure 17: Access Controls Against sspServiceProfiles in the User Subtree

Access Controls Against umcRadius Person and umcUser

The SAE requires read access to the userPassword attribute for entries from type umcRadiusPerson and umcUser.


Figure 18: Access Rights Against umcRadiusPerson and umcUser

Access Controls Against RADIUS Profiles

RADIUS requires read access to the userPassword attribute in entries from umcRadiusPerson to authenticate requests of a subscriber, and from umcOutsourcingServiceProfile to determine the tunnel parameter for a Layer 2 Tunneling Protocol (L2TP) outsourcing scenario. The RADIUS server binds with the credentials of cn=radius, ou=components, o=operators, o=umc.


Figure 19: Access Rights Against umcRadiusPerson
and umcOutsourcingServiceProfile Objects

Access Controls Against the Policy Subtree

The policy management component uses the credentials of cn=pom, ou=components, o=operators, o=umc and requires the following set of access rights for the policy subtree. It needs to perform add, delete, and modify operations on all policy and policyFolder objects in the o=Policies, o=umc subtree.


Figure 20: Policy Rights Against All Objects in the o=Policies,o=umc Tree

Access Controls Against the Parameter Subtree

The policy management component requires the following set of access controls for the parameter subtree. It needs to perform add, delete and modify operations on all objects in the o=Parameter, o=umc subtree.


Figure 21: Access Rights Against All Objects in the Tree o=Parameters, o=umc

Access Controls for System Management

The system management component binds as cn=sysman, ou=components, o=operators, o=umc and requires full access rights for the subtree ou=SystemManagement, o=Configuration, o=Management, o=umc.


Figure 22: Access Rights for System Management

Access Controls Against the Lock Subtree

The object state manager component requires full access rights to the subtree o=Locks, o=umc. This component uses the credentials of cn=osm, ou=components, o=operators, o=umc to bind against the directory.


Figure 23: Access Rights Against the Entire o=Locks,o=umc Subtree

Access Controls Against Subscriber, Retailer, and Service Profiles

The workflow component needs to flag objects that are in a transactional state. Those objects can be any umcSubscriber, umcRetailer, or umcServiceProfile object. The component must have modify rights on those target objects and write access to all attributes that are part of the auxiliary class transactionalObjectAuxClass, as well as the attribute objectClass. The workflow component binds with the credentials of cn=workflow, ou=components, o=operators, o=umc against the directory.


Figure 24: Access Rights Against umcSubscriber, umcRetailer
and umcServiceProfile Objects

Access Controls Against the Network Subtree

The network operator is allowed to administer only objects within the subtree o=Network, o=umc and bind against the directory using the credentials of cn=network-operator, o=operators, o=umc.


Figure 25: Access Rights Against the Entire o=Network,o=umc Subtree

Access Controls Against Services and Mutex Group Objects

The service operator requires full access rights for umcService objects, as well as for umcMutexGroup objects. These objects are subordinates of the entries o=Services, o=umc and o=Scopes, o=umc. The service-operator binds with the DN cn=service-operator, o=operators, o=umc against the directory.


Figure 26: Access Rights Against umcService and umcMutexGroup Objects

Access Controls Against the Workflow Subtree

Workflow operators manage all workflow objects within the subtree o=Workflows, o=umc. Therefore, these operators require full access rights for the subtree o=Workflows, o=umc. Such operators use the credentials of cn=workflow-operator, o=operators, o=umc against the directory.


Figure 27: Access Rights Against the Entire o=Workflows, o=umc Subtree

Access Controls Against the User Subtree

Subscriber operators are responsible for the entire o=users, o=umc subtree and require full access rights. The subscriber operator uses the credentials of the entry cn=subscriber-operator, o=operators, o=umc.


Figure 28: Access Rights Against the Entire o=users, o=umc Subtree

Access Controls Against Service, Policy, and Global Parameter Objects

All enterprise managers require read and search rights against objects from the type umcService, policy, and umcGlobalParameter. Those managers bind with their credentials against the directory.


Figure 29: Access Rights Against umcService, Policy, and umcGlobalParameter Objects

Activation Access Rights

Operators who are members of the user group cn=Activations need to be able to change the attribute sspAction to activate or deactivate SSP services in an enterprise, site, or access scope. Figure 30 shows these modify rights.


Figure 30: Modify Rights for Activation Managers

Subscription Access Rights

Subscription operators are members of the user group cn=Subscriptions and are able to subscribe and unsubscribe to and from SSP services in their specific scope (that is, enterprise, site, or access). This is the creation and deletion of objects from the type sspServiceProfile. As a result, subscription operators require full access rights to the objects shown in Figure 31.


Figure 31: Access Rights for Subscription Managers

Substitution Access Rights

Members of the substitutions user group get the required access rights that grant to attached auxiliary object classes, to objects and modify the attribute type belonging to the auxiliaryclass parameterAuxClass.


Figure 32: Access Rights for Substitution Managers

Common Access Rights for All Managers

All enterprise managers (that is, members of the previously mentioned user groups) have the following common rights:


Figure 33: Access Rights for All Managers

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]