Access Controls
Access Controls for the Entire Tree
A client who accesses the directory without binding to it does not have any access rights. All clients who bind with the credentials of an SDX component or an operator are members of the SSC-component-operator group and by default have the following access rights:
- No access to the subtree o=Operators,o=umc
- Read access to the remaining directory tree, including the operational attributes creationTimeStamp and modifyTimeStamp
- No read and compare rights for any userPassword values
Clients binding with the Apache DN or a member of the WebAdmin group do have read and search permissions in the subtree o=Operators,o=umc:
- Read access for all user attributes
- No read and no filter match permissions for the attribute userPassword
Members of that group are allowed to administer the SAE through the SAE Web Administration pages.
The members of the SSC_Admin group and the super-administrator have access rights to the entire tree.
Access Controls Against Objects from Type
cachedAuthentication Profile and UmcConfiguration
The SAE binds as cn=ssp,ou=components,o=operators,o=umc against the directory and needs to have full access rights for the entries from the type object class cachedAuthenticationProfile and umcConfiguration.
It is easier to implement the cached entries through the targets of the two subtrees (o=AuthCache,o=umc and o=UserProfilesCache,o=umc) in OpenLDAP.
Access Controls Against sspServiceProfile
In addition to the previously discussed access rights, the SSP requires full access against objects from the tree sspServiceProfile.
Access Controls Against umcRadius Person and umcUser
The SSP requires read access to the userPassword attribute for entries from type umcRadiusPerson and umcUser.
Access Controls Against RADIUS Profiles
RADIUS requires reading access to the userPassword attribute in entries from umcRadiusPerson to authenticate requests of a subscriber, and from umcOutsourcingServiceProfile to determine the tunnel parameter for an L2TP outsourcing scenario. The RADIUS server binds with the credentials of cn=radius,ou=components,o=operators,o=umc.
Access Controls Against the Policy Subtree
The policy management component uses the credentials of cn=pom,ou=components,o=operators,o=umc and requires the following set of access rights for the policy subtree. It needs to perform add, delete, and modify operations on all policy and policyFolder objects in the o=Policies,o=umc subtree.
Access Controls Against the Parameter Subtree
POM requires the following set of access controls for the parameter subtree. It needs to perform add, delete and modify operations on all objects in the o=Parameter,o=umc subtree.
Access Controls for System Management
The system management component binds as cn=sysman,ou=components, o=operators,o=umc and requires full access rights for the subtree ou=SystemManagement,o=Configuration,o=Management,o=umc.
Access Controls Against the Lock Subtree
The object state manager component requires full access rights to subtree o=Locks,o=umc. This component uses the credentials of cn=osm, ou=components,o=operators,o=umc to bind against the directory.
Access Controls Against Subscriber, Retailer, and Service Profiles
The workflow component needs to flag objects that are in a transactional state. Those objects can be any umcSubscriber, umcRetailer, or any umcServiceProfile. The component must have modify rights on those target objects and write access to all attributes that are part of the auxiliary class transactionalObjectAuxClass as well as the attribute objectClass. The workflow component binds with the credentials of cn=workflow,ou=components, o=operators,o=umc against the directory.
Access Controls Against the Network Subtree
The network operator is just allowed to administer objects within the subtree o=Network,o=umc and bind against the directory using the credentials of cn=network-operator,o=operators,o=umc.
Access Controls Against Services and Mutex Group Objects
The service operator requires full access rights for umcService objects as well as for umcMutexGroup objects. These objects are subordinates of the entries o=Services,o=umc and o=Scopes,o=umc. The service-operator binds with the DN cn=service-operator,o=operators,o=umc against the directory.
Access Controls Against the Workflow Subtree
Workflow operators manage all workflow objects within the subtree o=Workflows,o=umc. Therefore, these operators require full access rights for the subtree o=Workflows,o=umc. Such operators use the credentials of cn=workfllow-operator,o=operators,o=umc against the directory.
Access Controls Against the User Subtree
Subscriber-operators are responsible for the entire o=Users,o=umc subtree and require full access rights. The subscriber-operator uses the credentials of the entry cn=subscriber-operator,o=operators,o=umc.
Access Controls Against Service, Policy, and Global Parameter Objects
All enterprise managers require read and search rights against objects from the type umcService, policy and umcGlobalParameter. Those managers bind with their credentials against the directory.
Administrative Access Rights
SDX operators create an enterprise administrator for a particular enterprise as a subordinate of enterprise root. The DN of that administrator is a member of the administrators group. As a result, an operator binding with the enterprise manager's credentials against the directory has full access rights for the entire subtree. The enterprise administrator is allowed to create activation, subscription and substitution operators. He is able to add those operators as members of the appropriate user groups. Figure 24 shows the access rights for administrators of a particular enterprise. Figure 24 is also valid for site and access administrators. Just the root of the tree differs and might therefore be siteName=Site X or accessName=Access xy.
An enterprise manager can also administer sites and accesses.
Activation Access Rights
Operators, who are members of the user group cn=Activations, need to be able to change the attribute sspAction to activate or deactivate SSP services in an enterprise, site, or access scope. Figure 25 shows these modify rights.
Subscription Access Rights
Subscription operators are members of the user group cn=Subscriptions and are able to subscribe and unsubscribe to and from SSP services in their specific scope (that is, enterprise wide, site wide or access wide). This is the creation and deletion of objects from the type sspServiceProfile. As a result, subscription operators require full access rights in the objects shown in Figure 26.
Substitution Access Rights
Members of the substitutions user group get the required access rights that grant to attached auxiliary object classes, to objects and modify the attribute type belonging to the auxiliaryclass parameterAuxClass.
Common Access Rights for All Managers
All enterprise managers (that is, members of the previously mentioned user groups) have the following common rights:
- Read access to the service subtree (o=services,o=umc)
- Read access to the policy subtree (o=policies,o=umc)
- Read access to the global parameter subtree (o=parameters,o=umc)
- Read access to the scope of the manager, this is enterprise, site or access wide read access.
- Modify rights to change the user password and description value of its entry.
