FusionDirectory ACLs

:!: FusionDirectory ACLs are not LDAP ACLs

FusionDirectory ACLs can be used to give rights on FusionDirectory content to other users than the admin. They can be used to allow users to edit their own information for instance, or to allow a project manager to edit the users from his team.

To give rights to users, the first step is to define an ACL role which will list the permissions you want to give.
The second step is to assign this role to the users concerned, on the base you want to give rights on.

To help you get started, FusionDirectory setup can insert default ACL roles for you. Appart from the admin one (giving read/write access to everything), there is:

  • manager: this role gives full read/write access on users main and POSIX tabs
  • editowninfos: this role gives full read/write access on the user’s own main and POSIX tabs
  • editownpwd: this role only gives access to the user’s own password so that he can change it

Assign a role to a user for a given base

So, let’s say you want to give all rights on users from the branch ou=accounting,dc=example,dc=com to the user John Smith.
Start by going to the Departments page by clicking it in the left menu.
Then open the department named accounting and go to the ACL Assignments tab.

  1. Click Add (under ACL assignment field)
  2. Select role manager
  3. Select mode subtree
  4. Click Add (under members field) and select John Smith in the dialog
  5. Click Add (bottom right)
  6. Click Ok

It’s done. You can now see that this assignment shows up in ACL assignments, which allows you to manage existing assignments and modify them.

Give rights to users on their own information

Now let’s say you want all users to be able to edit their profile.
Go into ACL assignments and click on “ . [ACL Assignment]” which allows to manage assignments on the LDAP root.

Click on Add and configure a new assignment giving editowninfos role to all users:

Add it, save it, and this is it!
If you log as a normal user, you should be able to edit your information through the My Account menu.

Of course if you want to give this right only to some user you can do the assignment on a department, or you can select users and groups as members of the assignment.

Create your own ACL role

Now let’s get more into the details of which kind of permission an ACL role can give. Go to ACL roles and create a new one.

Fill name and description as you see fit.
Click Add to add some ACL rights in this role, you will see a screen listing the ACL categories:

Most categories should match an object type, some may match several or a whole plugin instead.
Let’s edit rights on Users category for instance, you should see a “Object: User” part first which manage rights on user main tab. Giving Create right on this part will give the right to create users. For read/write, you can give global rights on the whole tab or you can expand the advanced settings and control read/write rights field by field:

Then you have a part for each user tab depending on your installed plugins. The Create right on a tab allows to activate it while the Remove one allows to deactivate.
The Grant permission to owner checkbox allows to give rights only on the user’s own node as in the editowninfos role we used earlier.

Special cases

Template

The template part is available for objects which support templates and allow to give rights on templates, and control rights on the template_cn field.

To be able to create a user using a template, the connected user needs:

  • Read right of user/template:template_cn on the template object (or any parent department)
  • Create right of user/user on the base the user is created in (or any parent department)
  • Write right of the fields required by the templates on the base the user is created in (or any parent department)

Snapshot

Starting from FD 1.3, there is a Snapshot part for objects which supports snapshots.

  • Create right means the user will be able to take new snapshots
  • Delete right means he will be able to delete existing snapshots
  • Write right on restore_over field means he will be able to restore snapshots of an existing object
  • Write right on restore_deleted field means he will be able to restore snapshots of deleted objects

Assignment mode

ACL assignment mode defines the scope of the ACL. Following modes are available:

  • Subtree
    The ACL will be valid for all sub departments. In other words, if this ACL is assigned to the LDAP base, it will be active on the complete LDAP directory.
  • Base only
    Assigns the set of ACLs to one single object. This may be useful in rare cases. (Note that you can activate the ACL assignment tab for all object in the configuration screen. You can also create assignments on arbitrary DNs from the ACL assignments page. Use with care.)

Assignment members

When creating/editing an ACL assignment, members may be users, groups, POSIX groups or roles.

en/documentation/fd_acls.txt · Last modified: 2018/03/22 15:27 by Côme Chilliet
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0