Designing Access ControlChapter 8 Designing a Secure Directory 179Limit the scope of your allow access rules to include only the smallest possiblesubset of users or client applications. For example, you can set permissions thatallow users to write to any attribute on their directory entry, but then deny all usersexcept members of the Directory Administrators group the privilege of writing tothe uid attribute. Alternatively, you can write two access rules that allow writeaccess in the following ways:• Create one rule that allows write privileges to every attribute except the uidattribute. This rule should apply to everyone.• Create one rule that allows write privileges to the uid attribute. This ruleshould apply only to members of the Directory Administrators group.By providing only allow privileges you avoid the need to set an explicit denyprivilege.When to Deny AccessYou rarely need to set an explicit deny. However, you may find an explicit denyuseful in the following circumstances:• You have a large directory tree with a complicated ACL spread across it.For security reasons, you find that you suddenly need to deny access to a particularuser, group, or physical location. Rather than spend the time to carefully examineyour existing ACL to understand how to restrict appropriately the allowpermissions, you may want to temporarily set the explicit deny until you have timeto do this analysis. If your ACL has become this complicated, then, in the long run,the deny ACI only adds to your administrative burden. As soon as possible, reworkyour ACL to avoid the explicit deny and simplify your overall access controlscheme.• You want to restrict access control based on a day of the week or an hour of theday.For example, you can deny all writing activities from Sunday at 11:00 p.m.(2300) to Monday at 1:00 a.m. (0100). From an administrative point of view, itmay be easier to manage an ACI that explicitly restricts time-based access ofthis kind than to search through the directory for all the allow-for-write ACIsand restrict their scopes in this time frame.• You want to restrict privileges when you are delegating directoryadministration authority to multiple people.
