Access Controls
Access Controls for the Entire Tree
A client who accesses the directory without binding to it does not have any access rights. All clients who bind with the credentials of an SRC component or an operator are members of the SSC-component-operator group and by default have the following access rights:
- No access to the subtree o=Operators, o=umc
- Read access to the remaining directory tree, including the operational attributes creationTimeStamp and modifyTimeStamp
- No read and compare rights for any userPassword values
Clients binding with the Apache DN or a member of the WebAdmin group do have read and search permissions in the subtree o=Operators, o=umc:
- Read access for all user attributes
- No read and no filter match permissions for the attribute userPassword
Members of the WebAdmin group are allowed to administer the SAE through the SAE Web Administration pages.
The members of the SSC_Admin group and the super-administrator have access rights to the entire tree.
![]()
Access Controls Against Objects from Type
cachedAuthentication Profile and UmcConfigurationThe SAE binds as cn=ssp, ou=components, o=operators, o=umc against the directory and needs to have full access rights for the entries from the type object class cachedAuthenticationProfile and umcConfiguration.
It is easier to implement the cached entries through the targets of the two subtrees (o=AuthCache, o=umc and o=UserProfilesCache, o=umc).
![]()
Access Controls Against sspServiceProfile
In addition to the previously discussed access rights, the SAE requires full access against objects from the tree sspServiceProfile.
![]()
Access Controls Against umcRadius Person and umcUser
The SAE requires read access to the userPassword attribute for entries from type umcRadiusPerson and umcUser.
![]()
Access Controls Against RADIUS Profiles
RADIUS requires read access to the userPassword attribute in entries from umcRadiusPerson to authenticate requests of a subscriber, and from umcOutsourcingServiceProfile to determine the tunnel parameter for a Layer 2 Tunneling Protocol (L2TP) outsourcing scenario. The RADIUS server binds with the credentials of cn=radius, ou=components, o=operators, o=umc.
![]()
Access Controls Against the Policy Subtree
The policy management component uses the credentials of cn=pom, ou=components, o=operators, o=umc and requires the following set of access rights for the policy subtree. It needs to perform add, delete, and modify operations on all policy and policyFolder objects in the o=Policies, o=umc subtree.
![]()
Access Controls Against the Parameter Subtree
The policy management component requires the following set of access controls for the parameter subtree. It needs to perform add, delete and modify operations on all objects in the o=Parameter, o=umc subtree.
![]()
Access Controls for System Management
The system management component binds as cn=sysman, ou=components, o=operators, o=umc and requires full access rights for the subtree ou=SystemManagement, o=Configuration, o=Management, o=umc.
![]()
Access Controls Against the Lock Subtree
The object state manager component requires full access rights to the subtree o=Locks, o=umc. This component uses the credentials of cn=osm, ou=components, o=operators, o=umc to bind against the directory.
![]()
Access Controls Against Subscriber, Retailer, and Service Profiles
The workflow component needs to flag objects that are in a transactional state. Those objects can be any umcSubscriber, umcRetailer, or umcServiceProfile object. The component must have modify rights on those target objects and write access to all attributes that are part of the auxiliary class transactionalObjectAuxClass, as well as the attribute objectClass. The workflow component binds with the credentials of cn=workflow, ou=components, o=operators, o=umc against the directory.
![]()
Access Controls Against the Network Subtree
The network operator is allowed to administer only objects within the subtree o=Network, o=umc and bind against the directory using the credentials of cn=network-operator, o=operators, o=umc.
![]()
Access Controls Against Services and Mutex Group Objects
The service operator requires full access rights for umcService objects, as well as for umcMutexGroup objects. These objects are subordinates of the entries o=Services, o=umc and o=Scopes, o=umc. The service-operator binds with the DN cn=service-operator, o=operators, o=umc against the directory.
![]()
Access Controls Against the Workflow Subtree
Workflow operators manage all workflow objects within the subtree o=Workflows, o=umc. Therefore, these operators require full access rights for the subtree o=Workflows, o=umc. Such operators use the credentials of cn=workflow-operator, o=operators, o=umc against the directory.
![]()
Access Controls Against the User Subtree
Subscriber operators are responsible for the entire o=users, o=umc subtree and require full access rights. The subscriber operator uses the credentials of the entry cn=subscriber-operator, o=operators, o=umc.
![]()
Access Controls Against Service, Policy, and Global Parameter Objects
All enterprise managers require read and search rights against objects from the type umcService, policy, and umcGlobalParameter. Those managers bind with their credentials against the directory.
![]()
Activation Access Rights
Operators who are members of the user group cn=Activations need to be able to change the attribute sspAction to activate or deactivate SSP services in an enterprise, site, or access scope. Figure 30 shows these modify rights.
![]()
Subscription Access Rights
Subscription operators are members of the user group cn=Subscriptions and are able to subscribe and unsubscribe to and from SSP services in their specific scope (that is, enterprise, site, or access). This is the creation and deletion of objects from the type sspServiceProfile. As a result, subscription operators require full access rights to the objects shown in Figure 31.
![]()
Substitution Access Rights
Members of the substitutions user group get the required access rights that grant to attached auxiliary object classes, to objects and modify the attribute type belonging to the auxiliaryclass parameterAuxClass.
![]()
Common Access Rights for All Managers
All enterprise managers (that is, members of the previously mentioned user groups) have the following common rights:
- Read access to the service subtree (o=services, o=umc)
- Read access to the policy subtree (o=policies, o=umc)
- Read access to the global parameter subtree (o=parameters, o=umc)
- Read access to the scope of the manager; that is, enterprise, site, or access read access
- Modify rights to change the user password and description value of its entry
![]()