set super-user Command -- Configure Super User Access Level Rights
This command grants all access rights (permissions) at the super user access level, to specified users. The scope is a user's own entry, or own subtree, or the whole directory.
cad
This command grants all access rights (permissions) at the super user access level, to specified users. The scope is a user's own entry, or own subtree, or the whole directory.
Access rights granted at this access level cannot be taken away by other access control rules.
Access control rules are effective only if you enable access controls.
This command has the following format:
set super-user [tag] = { users [auth-level = simple | ssl-auth] [validity = [start hhmm end hhmm] [on day]] };
- tag(Optional) Defines a name for this rule.
- usersDefines the users that this rule applies to, whereusersis one of the following:
- user =DNDefines the user that this rule applies to.
- role =DNDefines the role that this rule applies to.
- group =group-nameDefines the access control group that this rule applies to. Use of access control groups is deprecated, so use of this option is also deprecated.
- user-subtree =DNDefines the top of the subtree of users that this rule applies to.
- own-entrySpecifies that the users defined inscopehave super user access to their own entries only.
- own-subtreeSpecifies that the users defined inscopehave super user access to their own entries and any entries below their own entry.
- auth-level = simple | ssl-auth(Optional) Specifies the level of authentication required. If you use this option, use one of the following:
- simpleSpecifies that this rule only applies to users that bind using simple authentication (username and password).
- ssl-authSpecifies that this rule only applies to users that bind using SSL authentication.
- validity = [starthhmmendhhmm] [onday](Optional) Defines the period during which this rule is valid. Use any of the following:
- starthhmmendhhmmDefines the start and end of the period during which this rule is valid.
- ondayDefines the day on which this rule is valid, wheredayis a string like 12345 or 67 (1 is Monday).
Example: Give Super User Privileges to One User
The following command defines a single user with super user privileges:
set super-user dsa-manager = { user = <c AU><o Democorp><commonName "DSA manager"> };
Example: Give Users Super User Rights to Their Own Entry Only
The following command gives all users in the domain of this DSA super user privileges on their own entry from 0800 hours to 1800 hours on Monday (day 1) to Friday (day 5):
set super-user self = { own-entry validity = ( start 0800 end 1800 on 12345 ) };
When you include this command in an access.dxc file that multiple DSAs source, all users in the domains of those DSAs will have super user privileges on their own entries.
The
own-entry
and own-subtree
options are the only types of super user rule that do not grant the user access to all parts of the DSA.