set reg-user Command -- Configure Registered User Access Level Rights
This command grants specified access rights at the registered user access level, to specified users, over a specified scope.
cad
This command grants specified access rights at the registered user access level, to specified users, over a specified scope.
Access rights granted at this access level can be taken away by access control rules defined at the protected items access level.
Access control rules are effective only if you enable access controls.
This command has the following format:
set reg-user [tag] = { users scope [attrs = attribute-list] [auth-level = simple | ssl-auth] [perms = permission-list] [validity = [start hhmm end hhmm] [on day]] };
- tag(Optional) Defines a name for this rule.
- usersDefines the users that this rule applies to, whereusersis one of the following:
- user =DNDefines the user that this rule applies to.
- role =DNDefines the role that this rule applies to.
- group =group-nameDefines the access control group that this rule applies to. Use of access control groups is deprecated, so use of this option is also deprecated.
- user-subtree =DNDefines the top of the subtree of users that this rule applies to.
- own-entrySpecifies that the users defined inscopehave access to their own entries only.
- own-subtreeSpecifies that the users defined inscopehave access to their own entries and any entries below their own entry.
- scopeDefines the area of the DIT that this rule gives access to, wherescopeis one of the following:
- entry =DNSpecifies the entry that this rule grants access to.
- subtree =DNSpecifies the subtree that this rule grants access to.
- attrs =attribute-list(Optional) Defines the attributes or attribute set to which this rule applies, whereattribute-listis a comma-separated list of attribute names.Ifattrsis not specified, then the access rule applies to the whole entry.addandremovepermissions require thatattrsis not specified.
- perms =permission-list(Optional) Specifies the permissions (access rights) that this rule grants to theusersfor thescope.Ifpermsis not specified, then read access permission is granted.permission-listis a comma-separated list of one or more of the following:
- allGrants users all permissions over the scope.
- readGrants users permission to read the information defined in the scope.
- addGrants users permission to add to the information defined in the scope. This also grants read permission.
- removeGrants users permission to delete entries defined in the scope. This also grants read permission.
- modifyGrants users permission to change information defined in the scope. This also grants read permission.
- renameGrants users permission to rename the entries defined in the scope. This also grants read permission.
- auth-level = simple | ssl-auth(Optional) Specifies the level of authentication required. If you use this option, use one of the following:
- simpleSpecifies that this rule only applies to users who bind using simple authentication (username and password).
- ssl-authSpecifies that this rule only applies to users who bind using SSL authentication.
- validity = [starthhmmendhhmm] [onday](Optional) Defines the period during which this rule is valid. Use any of the following:
- starthhmmendhhmmDefines the start and end of the period during which this rule is valid.
- ondayDefines the day on which this rule is valid, wheredayis a string like 12345 or 67 (1 is Monday).
Example: Give Read Access to All Users in a Subtree
In the following example, all the users in the R&D subtree can read the Democorp subtree:
set reg-user R&D-Users"= { user-subtree = <c AU"><o Democorp"><ou R&D"> subtree = <c AU"><o Democorp"> };
Example: Give Read Access to an Entry
In the following example, all users in the group staff have read privileges on the Democorp entry:
set reg-user democorp-staff" = { group = staff" entry = <c AU"><o Democorp"> };
Example: Let All Users Read Some Attributes in Their Own Entry
The following example lets any user in the subtree AU/Democorp view only the selected attributes in their entry:
set reg-user = { own-entry subtree = <c AU"><o Democorp"> attrs = telephoneNumber, commonName, surname, title, mhsORAddresses, odEmail };
Example: Let All Users Read and Modify Some Attributes
In this example, all Democorp users can browse all entries in the subtree Democorp; however, when they read or search for an entry in the subtree, only those attributes that you declare are visible.
The users also have modify privileges on the listed attributes for all entries in the subtree:
set reg-user self-view" = { user-subtree = <c AU><o Democorp> subtree = <c AU"><o Democorp"> attrs = telephoneNumber, commonName, surname, title, mhsORAddresses, dcEmail perms = modify };