public final class GlobalAccessControlPolicyCfgDefn extends ManagedObjectDefinition<GlobalAccessControlPolicyCfgClient,GlobalAccessControlPolicyCfg>
Provides coarse grained access control for all operations, regardless of whether they are destined for local or proxy backends. Global access control policies are applied in addition to ACIs and privileges.
Modifier and Type | Class and Description |
---|---|
static class |
GlobalAccessControlPolicyCfgDefn.Permission
Defines the set of permissable values for the "permission" property.
|
getAggregationPropertyDefinition, getAggregationPropertyDefinitions, getAllAggregationPropertyDefinitions, getAllChildren, getAllConstraints, getAllPropertyDefinitions, getAllRelationDefinitions, getAllReverseAggregationPropertyDefinitions, getAllReverseRelationDefinitions, getAllTags, getChild, getChildren, getConstraints, getDescription, getDescription, getName, getParent, getPropertyDefinition, getPropertyDefinitions, getRelationDefinition, getRelationDefinitions, getReverseAggregationPropertyDefinitions, getReverseRelationDefinitions, getSynopsis, getSynopsis, getUserFriendlyName, getUserFriendlyName, getUserFriendlyPluralName, getUserFriendlyPluralName, hasChildren, hasOption, hasTag, initialize, isChildOf, isParentOf, isTop, registerConstraint, registerOption, registerPropertyDefinition, registerRelationDefinition, registerTag, resolveManagedObjectDefinition, toString, toString
public static GlobalAccessControlPolicyCfgDefn getInstance()
public GlobalAccessControlPolicyCfgClient createClientConfiguration(ManagedObject<? extends GlobalAccessControlPolicyCfgClient> impl)
ManagedObjectDefinition
createClientConfiguration
in class ManagedObjectDefinition<GlobalAccessControlPolicyCfgClient,GlobalAccessControlPolicyCfg>
impl
- The managed object.public GlobalAccessControlPolicyCfg createServerConfiguration(ServerManagedObject<? extends GlobalAccessControlPolicyCfg> impl)
ManagedObjectDefinition
createServerConfiguration
in class ManagedObjectDefinition<GlobalAccessControlPolicyCfgClient,GlobalAccessControlPolicyCfg>
impl
- The server managed object.public Class<GlobalAccessControlPolicyCfg> getServerConfigurationClass()
ManagedObjectDefinition
getServerConfigurationClass
in class ManagedObjectDefinition<GlobalAccessControlPolicyCfgClient,GlobalAccessControlPolicyCfg>
public StringPropertyDefinition getAllowedAttributePropertyDefinition()
Allows clients to read or write the specified attributes, along with their sub-types.
Attributes that are subtypes of listed attributes are implicitly included. In addition, the list of attributes may include the wild-card '*', which represents all user attributes, or the wild-card '+', which represents all operational attributes, or the name of an object class prefixed with '@' to include all attributes defined by the object class.
public StringPropertyDefinition getAllowedAttributeExceptionPropertyDefinition()
Specifies zero or more attributes which, together with their sub-types, should not be included in the list of allowed attributes.
This property is typically used when the list of attributes specified by the allowed-attribute property is too broad. It is especially useful when creating policies which grant access to all user attributes (*) except certain sensitive attributes, such as userPassword.
public StringPropertyDefinition getAllowedControlPropertyDefinition()
Allows clients to use the specified LDAP controls.
public StringPropertyDefinition getAllowedExtendedOperationPropertyDefinition()
Allows clients to use the specified LDAP extended operations.
public BooleanPropertyDefinition getAuthenticationRequiredPropertyDefinition()
Restricts the scope of the policy so that it only applies to authenticated users.
public IpAddressMaskPropertyDefinition getConnectionClientAddressEqualToPropertyDefinition()
Restricts the scope of the policy so that it only applies to connections which match at least one of the specified client host names or address masks.
Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a sub-network with sub-network mask.
public IpAddressMaskPropertyDefinition getConnectionClientAddressNotEqualToPropertyDefinition()
Restricts the scope of the policy so that it only applies to connections which match none of the specified client host names or address masks.
Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a sub-network with sub-network mask.
public IntegerPropertyDefinition getConnectionMinimumSsfPropertyDefinition()
Restricts the scope of the policy so that it only applies to connections having the specified minimum security strength factor.
The security strength factor (ssf) pertains to the cipher key strength for connections using DIGEST-MD5, GSSAPI, SSL, or TLS. For example, to require that the connection must have a cipher strength of at least 256 bits, specify a value of 256.
public IntegerPropertyDefinition getConnectionPortEqualToPropertyDefinition()
Restricts the scope of the policy so that it only applies to connections to any of the specified ports, for example 1389.
public StringPropertyDefinition getConnectionProtocolEqualToPropertyDefinition()
Restricts the scope of the policy so that it only applies to connections which match any of the specified protocols.
public EnumPropertyDefinition<GlobalAccessControlPolicyCfgDefn.Permission> getPermissionPropertyDefinition()
Specifies the type of access allowed by this policy.
public StringPropertyDefinition getRequestTargetDnEqualToPropertyDefinition()
Restricts the scope of the policy so that it only applies to requests which target entries matching at least one of the specified DN patterns.
Valid DN filters are strings composed of zero or more wildcards and RDN components. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
public BooleanPropertyDefinition getRequestTargetDnEqualToUserDnPropertyDefinition()
Restricts the scope of the policy so that it only applies to requests sent by authenticated users where the request's target DN is the same as the DN of the authorized user.
public StringPropertyDefinition getRequestTargetDnNotEqualToPropertyDefinition()
Restricts the scope of the policy so that it only applies to requests which target entries matching none of the specified DN patterns.
Valid DN filters are strings composed of zero or more wildcards and RDN components. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
public StringPropertyDefinition getUserDnEqualToPropertyDefinition()
Restricts the scope of the policy so that it only applies to authenticated users whose authorization DN matches at least one of the specified DN patterns.
Valid DN filters are strings composed of zero or more wildcards and RDN components. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
public StringPropertyDefinition getUserDnNotEqualToPropertyDefinition()
Restricts the scope of the policy so that it only applies to authenticated users whose authorization DN matches none of the specified DN patterns.
Valid DN filters are strings composed of zero or more wildcards and RDN components. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
Copyright 2010-2020 ForgeRock AS.