200 lines
7.0 KiB
Groff
200 lines
7.0 KiB
Groff
BasicAccessControl {joint-iso-itu-t ds(5) module(1) basicAccessControl(24) 7}
|
|
DEFINITIONS ::=
|
|
BEGIN
|
|
|
|
-- EXPORTS All
|
|
-- The types and values defined in this module are exported for use in the other ASN.1
|
|
-- modules contained within these Directory Specifications, and for the use of other
|
|
-- applications which will use them to access Directory services. Other applications may
|
|
-- use them for their own purposes, but this will not constrain extensions and
|
|
-- modifications needed to maintain or improve the Directory service.
|
|
|
|
IMPORTS
|
|
|
|
-- from Rec. ITU-T X.501 | ISO/IEC 9594-2
|
|
|
|
directoryAbstractService, id-aca, id-acScheme, informationFramework,
|
|
selectedAttributeTypes
|
|
FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1) usefulDefinitions(0) 7}
|
|
|
|
ATTRIBUTE, AttributeType, AttributeTypeAndValue, ContextAssertion, DistinguishedName,
|
|
MATCHING-RULE, objectIdentifierMatch, Refinement, SubtreeSpecification,
|
|
SupportedAttributes
|
|
FROM InformationFramework informationFramework
|
|
|
|
-- from Rec. ITU-T X.511 | ISO/IEC 9594-3
|
|
|
|
Filter
|
|
FROM DirectoryAbstractService directoryAbstractService
|
|
|
|
-- from Rec. ITU-T X.520 | ISO/IEC 9594-6
|
|
|
|
directoryStringFirstComponentMatch, NameAndOptionalUID,
|
|
UnboundedDirectoryString, UniqueIdentifier
|
|
FROM SelectedAttributeTypes selectedAttributeTypes;
|
|
|
|
accessControlScheme ATTRIBUTE ::= {
|
|
WITH SYNTAX OBJECT IDENTIFIER
|
|
EQUALITY MATCHING RULE objectIdentifierMatch
|
|
SINGLE VALUE TRUE
|
|
USAGE directoryOperation
|
|
ID id-aca-accessControlScheme }
|
|
|
|
-- types
|
|
|
|
ACIItem ::= SEQUENCE {
|
|
identificationTag UnboundedDirectoryString,
|
|
precedence Precedence,
|
|
authenticationLevel AuthenticationLevel,
|
|
itemOrUserFirst CHOICE {
|
|
itemFirst [0] SEQUENCE {
|
|
protectedItems ProtectedItems,
|
|
itemPermissions SET OF ItemPermission,
|
|
...},
|
|
userFirst [1] SEQUENCE {
|
|
userClasses UserClasses,
|
|
userPermissions SET OF UserPermission,
|
|
...},
|
|
...},
|
|
... }
|
|
|
|
Precedence ::= INTEGER(0..255,...)
|
|
|
|
ProtectedItems ::= SEQUENCE {
|
|
entry [0] NULL OPTIONAL,
|
|
allUserAttributeTypes [1] NULL OPTIONAL,
|
|
attributeType [2] SET SIZE (1..MAX) OF AttributeType
|
|
OPTIONAL,
|
|
allAttributeValues [3] SET SIZE (1..MAX) OF AttributeType
|
|
OPTIONAL,
|
|
allUserAttributeTypesAndValues [4] NULL OPTIONAL,
|
|
attributeValue [5] SET SIZE (1..MAX) OF AttributeTypeAndValue
|
|
OPTIONAL,
|
|
selfValue [6] SET SIZE (1..MAX) OF AttributeType
|
|
OPTIONAL,
|
|
rangeOfValues [7] Filter OPTIONAL,
|
|
maxValueCount [8] SET SIZE (1..MAX) OF MaxValueCount
|
|
OPTIONAL,
|
|
maxImmSub [9] INTEGER OPTIONAL,
|
|
restrictedBy [10] SET SIZE (1..MAX) OF RestrictedValue
|
|
OPTIONAL,
|
|
contexts [11] SET SIZE (1..MAX) OF ContextAssertion
|
|
OPTIONAL,
|
|
classes [12] Refinement OPTIONAL,
|
|
... }
|
|
|
|
MaxValueCount ::= SEQUENCE {
|
|
type AttributeType,
|
|
maxCount INTEGER,
|
|
... }
|
|
|
|
RestrictedValue ::= SEQUENCE {
|
|
type AttributeType,
|
|
valuesIn AttributeType,
|
|
... }
|
|
|
|
UserClasses ::= SEQUENCE {
|
|
allUsers [0] NULL OPTIONAL,
|
|
thisEntry [1] NULL OPTIONAL,
|
|
name [2] SET SIZE (1..MAX) OF NameAndOptionalUID OPTIONAL,
|
|
userGroup [3] SET SIZE (1..MAX) OF NameAndOptionalUID OPTIONAL,
|
|
-- dn component shall be the name of an
|
|
-- entry of GroupOfUniqueNames
|
|
subtree [4] SET SIZE (1..MAX) OF SubtreeSpecification OPTIONAL,
|
|
... }
|
|
|
|
ItemPermission ::= SEQUENCE {
|
|
precedence Precedence OPTIONAL,
|
|
-- defaults to precedence in ACIItem
|
|
userClasses UserClasses,
|
|
grantsAndDenials GrantsAndDenials,
|
|
... }
|
|
|
|
UserPermission ::= SEQUENCE {
|
|
precedence Precedence OPTIONAL,
|
|
-- defaults to precedence in ACIItem
|
|
protectedItems ProtectedItems,
|
|
grantsAndDenials GrantsAndDenials,
|
|
... }
|
|
|
|
AuthenticationLevel ::= CHOICE {
|
|
basicLevels SEQUENCE {
|
|
level ENUMERATED {none(0), simple(1), strong(2),...},
|
|
localQualifier INTEGER OPTIONAL,
|
|
signed BOOLEAN DEFAULT FALSE,
|
|
...},
|
|
other EXTERNAL,
|
|
... }
|
|
|
|
GrantsAndDenials ::= BIT STRING {
|
|
-- permissions that may be used in conjunction
|
|
-- with any component of ProtectedItems
|
|
grantAdd (0),
|
|
denyAdd (1),
|
|
grantDiscloseOnError (2),
|
|
denyDiscloseOnError (3),
|
|
grantRead (4),
|
|
denyRead (5),
|
|
grantRemove (6),
|
|
denyRemove (7),
|
|
-- permissions that may be used only in conjunction
|
|
-- with the entry component
|
|
grantBrowse (8),
|
|
denyBrowse (9),
|
|
grantExport (10),
|
|
denyExport (11),
|
|
grantImport (12),
|
|
denyImport (13),
|
|
grantModify (14),
|
|
denyModify (15),
|
|
grantRename (16),
|
|
denyRename (17),
|
|
grantReturnDN (18),
|
|
denyReturnDN (19),
|
|
-- permissions that may be used in conjunction
|
|
-- with any component, except entry, of ProtectedItems
|
|
grantCompare (20),
|
|
denyCompare (21),
|
|
grantFilterMatch (22),
|
|
denyFilterMatch (23),
|
|
grantInvoke (24),
|
|
denyInvoke (25) }
|
|
|
|
-- attributes
|
|
|
|
prescriptiveACI ATTRIBUTE ::= {
|
|
WITH SYNTAX ACIItem
|
|
EQUALITY MATCHING RULE directoryStringFirstComponentMatch
|
|
USAGE directoryOperation
|
|
ID id-aca-prescriptiveACI }
|
|
|
|
entryACI ATTRIBUTE ::= {
|
|
WITH SYNTAX ACIItem
|
|
EQUALITY MATCHING RULE directoryStringFirstComponentMatch
|
|
USAGE directoryOperation
|
|
ID id-aca-entryACI }
|
|
|
|
subentryACI ATTRIBUTE ::= {
|
|
WITH SYNTAX ACIItem
|
|
EQUALITY MATCHING RULE directoryStringFirstComponentMatch
|
|
USAGE directoryOperation
|
|
ID id-aca-subentryACI }
|
|
|
|
-- object identifier assignments
|
|
|
|
-- attributes
|
|
|
|
id-aca-accessControlScheme OBJECT IDENTIFIER ::= {id-aca 1}
|
|
id-aca-prescriptiveACI OBJECT IDENTIFIER ::= {id-aca 4}
|
|
id-aca-entryACI OBJECT IDENTIFIER ::= {id-aca 5}
|
|
id-aca-subentryACI OBJECT IDENTIFIER ::= {id-aca 6}
|
|
|
|
-- access control schemes
|
|
|
|
basicAccessControlScheme OBJECT IDENTIFIER ::= {id-acScheme 1}
|
|
simplifiedAccessControlScheme OBJECT IDENTIFIER ::= {id-acScheme 2}
|
|
rule-based-access-control OBJECT IDENTIFIER ::= {id-acScheme 3}
|
|
rule-and-basic-access-control OBJECT IDENTIFIER ::= {id-acScheme 4}
|
|
rule-and-simple-access-control OBJECT IDENTIFIER ::= {id-acScheme 5}
|
|
|
|
END -- BasicAccessControl |