hi
How can i know about the entities associated with the role which are connected through any ACI.
I am using this for access control and using entities to identify tasks.
I wish to find taks(entities) associated with any role.
How can i do this through LDAP API?
I wish to get the list of taks for a role corresponding to a location
Message was edited by:
KURAL
Hi,
It is quite difficult to understand what you are really asking, because you are mixing your application model with Directory Server concepts.
To know which roles are assigned to any "LDAP entry", read the entry and more specifically the nsRoles attribute. This is an operational attribute computed and present to all entries that have a role assigned to.
To know all entries that have one specific role depends on the kind of role and how they are managed.
I would encourage you to take a look at the Deployment Guide and the Administration Guide, the Roles sections to have more details on the Roles feature of Directory Server.
Regards,
Ludovic.
Probably it is not as simple as you are thinking it to be.
Let me try again
1. Rights over any entry in a Directory are controlled through an ACI (Access Control Information)
2. Roles can be referred in any ACI directly.
3. Users in Directory can be assigned one or many Roles.
I hope now you understabnd what i am trying to say
The association is more like this
Entry -> ACI -->Role --> User
Scenario 1.
That When i search entries after log in through a User i can get the entries associated to this user through Roles and ACI.
Now the problem is :
Scenario:
If now i login through administrator and i wish to know the entries associated not directly to the user but any one role.
I have to control the entry association with roles without any respect to Users, this way i can seperate Roles to Entry association from User and Role Association, which is the requirement of our Application.
Something like this:
I wish to control these association seperately
(Entry -> ACI -->Role)and (Roles --> User)
So that when i wish to know about the entries associated with the role i dont need to login through any particular user but admin.
> Probably it is not as simple as you are thinking it
> to be.
> Let me try again
>
> 1. Rights over any entry in a Directory are
> controlled through an ACI (Access Control
> Information)
Through a set of ACIs in reality.
>
> 2. Roles can be referred in any ACI directly.
ACI can protect roles, but also have a subject that is a Role or a Group or a Simple DN or a DN pattern.
>
> 3. Users in Directory can be assigned one or many
> Roles.
>
> I hope now you understabnd what i am trying to say
>
> The association is more like this
> Entry -> ACI -->Role --> User
>
> Scenario 1.
> That When i search entries after log in through a
> User i can get the entries associated to this user
> through Roles and ACI.
I would not say it like this, but this way (cultural differences ;-)).
You are granted the permission by ACI to READ entries as this User, because the User has the appropriate Roles.
>
>
> Now the problem is :
>
> Scenario:
> If now i login through administrator and i wish to
> know the entries associated not directly to the user
> but any one role.
As an Administrator, you want to know WHICH entries will have Access Granted by ACI for a Specific Role...
And you can do this with the GetEffectiveRights control that is implemented in the DS version of ldapsearch.
I don't think that you can specify directly a Role when evaluating permissions for that user (as an administrator), but you can definitely specify any user in that role and then identify which permissions are Role based and which ones are direct.
You might want to read carefully the Administration Guide, Managing Access Controls section and more specifically <http://docs.sun.com/source/816-6698-10/aci.html#16222>
Regards,
Ludovic.
>
> I have to control the entry association with roles
> without any respect to Users, this way i can seperate
> Roles to Entry association from User and Role
> Association, which is the requirement of our
> Application.
>
> Something like this:
> I wish to control these association seperately
> (Entry -> ACI -->Role)and (Roles --> User)
>
>
> So that when i wish to know about the entries
> associated with the role i dont need to login through
> any particular user but admin.
Thanks alot Ludovicp!!!
I think now we are on same page as per the understanding of the problem.
I know that I can Use getEffectiveRights Using the Editor/ Console.
The problem is at coding level (with the API)
I wish if someone can suggest me a way (standard or inovative) to do the same with use of any Java API (I am currently using netscape API for interacting with LDAP).
(cultural differences ;-)). - I tried my best to exlain the problem. Thanks for you understanding the problem and rephrasing it for all to understand the problem in a better way.
The GetEffectiveRights control is implemented in the JNDI LDAP Booster Pack 1.0.
<http://java.sun.com/products/jndi/>
Regards,
Ludovic.
(cultural differences is something I'm pretty well aware, being French working for a US company but with colleagues from all over the world, and coming from so many different backgrounds. No worries, Mate ;-) ).
