Access Control Usage Examples234 Netscape Directory Server Administrator’s Guide • January 2002Restricting Access to Key RolesYou can use role definitions in the directory to identify functions that are critical toyour business, the administration of your network and directory, or anotherpurpose.For example, you might create a superAdmin role by identifying a subset of yoursystem administrators that are available at a particular time of day and day of theweek at corporate sites worldwide. Or you might want to create a First Aid rolethat includes all members of staff on a particular site that have done first aidtraining. For information on creating role definitions, refer to “Using Roles,” onpage 160.When a role gives any sort of privileged user rights over critical corporate orbusiness functions, you should consider restricting access to that role. For example,at example.com, employees can add any role to their own entry, except thesuperAdmin role. This is illustrated in the ACI “Roles” example.ACI “Roles”In LDIF, to grant example.com employees the right to add any role to their ownentry, except the superAdmin role, you would write the following statement:aci: (targetattr = "nsRoleDn")(targattrfilters="add=nsRoleDN:(nsRoleDN !="cn=superAdmin,dc=example,dc=com")") (version 3.0; acl "Roles";allow (write) userdn= "ldap:///self" and dns="*.example.com";)This example assumes that the ACI is added to theou=example-people,dc=example,dc=com entry.From the Console, you can set this permission by doing the following:1. On the Directory tab, right click the example.com node in the left navigationtree, and choose Set Access Permissions from the pop-up menu to display theAccess Control Manager.2. Click New to display the Access Control Editor.3. On the Users/Groups tab, in the ACI name field, type "Roles". In the list ofusers granted access permission, do the following:a. Select and remove All Users, then click Add.The Add Users and Groups dialog box is displayed.b. Set the Search area in the Add Users and Groups dialog box to to SpecialRights, and select Self from the Search results list.