Performing a Site SurveyChapter 2 How to Plan Your Directory Data 35• Create roles that give groups of people read or write access privileges.For example, you might create roles for human resources, finance, oraccounting. Allow each of these roles to have read access, write access, or bothto the data needed by the group, such as salary information, governmentidentification number (in the US, Social Security Number), and home phonenumbers and address.For more information about roles and grouping entries, refer to “GroupingDirectory Entries,” on page 71.As you determine who can write to the data, you may find that multipleindividuals need to have write access to the same information. For example, youwill want an information systems (IS) or directory management group to havewrite access to employee passwords. You may also want the employees themselvesto have write access to their own passwords. While you generally must givemultiple people write access to the same information, try to keep this group smalland easy to identify. Keeping the group small helps ensure your data’s integrity.For information on setting access control for your directory, see chapter 7,“Designing a Secure Directory,” on page 133.Determining Data AccessAfter determining data ownership, decide who can read each piece of data. Forexample, you may decide to store an employee’s home phone number in yourdirectory. This data may be useful for a number of organizations, including theemployee’s manager and human resources. You may want the employee to be ableto read this information for verification purposes. However, home contactinformation can be considered sensitive. Therefore, you must determine if youwant this kind of data to be widely available across your enterprise.For each piece of information that you store in your directory, you must decide thefollowing:• Can the data be read anonymously?The LDAP protocol supports anonymous access and allows easy lookups forcommon information such as office sites, email addresses, and businesstelephone numbers. However, anonymous access gives anyone with access tothe directory access to the common information. Consequently, you should useanonymous access sparingly.• Can the data be read widely across your enterprise?
