Understanding how OpenDJ evaluates the aci values is critical when implementing an access control policy. The rules the server follows are simple.
-
To determine if an operation is allowed or denied, the OpenDJ server looks in the directory for the target of the operation. It collects any aci values from that entry, and then walks up the directory tree to the suffix, collecting all aci values en route. Global aci values are then collected.
-
It then separates the aci values into two lists; one list contains all the aci values that matches the target and denies the required access, and the other list contains all the aci values that matches the target and allows the required access.
-
If the deny list contains any aci values after this procedure, access will be immediately denied.
-
If the deny list is empty, then the allow list is processed. If the allow list contains any aci values, access will be allowed.
-
If both lists are empty, access will be denied.
![[Note]](common/images/admon/note.png) |
Note |
|---|---|
|
Some operations require multiple permissions and involve multiple
targets. Evaluation will therefore take place multiple times. For example a
search operation requires the |
