DIRECTORY SERVICES


Target scope
When you select a category as a target in the Target box, you use the Scope of Target box to specify whether a subject's access settings apply only to documents at that category or also to documents under subcategories as well. Keep "This container and all descendants" (the default) selected to apply the subject's access settings to documents under the selected target category as well as to documents under subcategories. Select "This container only" to apply the subject's access settings to documents under the selected target category only.

The following figure shows the target scope "This container and all descendants" selected for the subject Admins/Acme at the / (root) target.

Scope box for an extended ACL

You select a scope for each subject with access at a target category.

Example of using "This container and all descendants" as a target scope

Suppose you want users who access the database through the -Default- entry to see any Person and Group document in the directory but no other type of document. You could do the following:

The following figure illustrates these access settings.

Example1 of extended ACL scope

Example of using "This container only" as a target scope

Suppose the names of documents in your company fall under the organization O=Acme or one of the organizational units OU=East or OU=West. You want to deny the group Admins/Acme all access to documents in the directory except documents at O=Acme. You want to allow the group all access to documents at O=Acme. You could give the group Admins/Acme Editor access in the database ACL with all database ACL privileges and administration roles. At / (root) deny Admins/Acme all access and select "This container and all descendants." At O=Acme allow Admins/Acme all access and select "This container only" as the scope. Admins/Acme deny access set at / (root) continues to apply to OU=East and OU=West.

The following figure illustrates these access settings.

Example1 of extended ACL scope

Related topics