Access Control Principles204 Red Hat Directory Server Administrator’s Guide • May 2005For example, if you deny write permission at the directory’s root level, then noneof the users can write to the directory, regardless of the specific permissions yougrant them. To grant a specific user write permissions to the directory, you haveto restrict the scope of the original denial for write permission so that it does notinclude the user.ACI LimitationsWhen creating an access control policy for your directory service, you need to beaware of the following restrictions:• If your directory tree is distributed over several servers using the chainingfeature, some restrictions apply to the keywords you can use in access controlstatements:m ACIs that depend on group entries (groupdn keyword) must be locatedon the same server as the group entry. If the group is dynamic, then allmembers of the group must have an entry on the server, too. If the groupis static, the members’ entries can be located on remote servers.m ACIs that depend on role definitions (roledn keyword) must be locatedon the same server as the role definition entry. Every entry that isintended to have the role must also be located on the same server.However, you can do value matching of values stored in the target entry withvalues stored in the entry of the bind user (for example, using the userattrkeyword). Access will be evaluated normally even if the bind user does nothave an entry on server that holds the ACI.For more information on how to chain access control evaluation, see“Database Links and Access Control Evaluation,” on page 122.• Attributes generated by a CoS cannot be used in all ACI keywords.Specifically, you should not use attributes generated by CoS with thefollowing keywords:m targetfilter (see “Targeting Entries or Attributes Using LDAP Filters,”on page 212)m targattrfilters (see “Targeting Attribute Values Using LDAP Filters,”on page 213)m userattr (see “Using the userattr Keyword,” on page 227)
