How do I know what the default Global ACIs are used for in OpenDJ 3.x?

Last updated Jan 5, 2021

The purpose of this article is to provide information on what the default Global ACIs are used for in OpenDJ and whether they can be removed or modified.

2 readers recommend this article

Archived

This article has been archived and is no longer maintained by ForgeRock.

Overview

The default global ACIs are documented for each release and you should refer to the appropriate documentation for details applicable to the version you are using. See Administration Guide › Default Global ACIs for further information.

The list below is applicable in OpenDJ 3.x.

Caution

Some Global ACIs must not be removed or modified, whereas some may be removed and others may be removed but their removal is not recommended. In all cases, you must test your changes in a pre-production environment first to ensure there is no adverse impact.

Default Global ACIs

The default Global ACIs have been categorized below according to whether they can be removed or not:

Modification or removal is permitted; must be tested

The following default Global ACIs exist in this category:

Anonymous "Read" access - allows anonymous read access to most user data attributes: ds-cfg-global-aci: (targetattr!="userPassword||authPassword||changes||changeNumber||changeType||changeTime||targetDN||newRDN||newSuperior||deleteOldRDN")(version 3.0; acl "Anonymous read access"; allow (read,search,compare) userdn="ldap:///anyone";)
Self-entry "Write" access - allows authenticated users to modify each of these attributes on their own entry: ds-cfg-global-aci: (targetattr="audio||authPassword||description||displayName||givenName||homePhone||homePostalAddress||initials||jpegPhoto||labeledURI||mobile||pager||postalAddress||postalCode||preferredLanguage||telephoneNumber||userPassword")(version 3.0; acl "Self entry modification"; allow (write) userdn="ldap:///self";)
Self-entry Password value "Read" access - allows authenticated users to read password values on their own entries after binding; password values are hashed by default: ds-cfg-global-aci: (targetattr="userPassword||authPassword")(version 3.0; acl "Self entry read"; allow (read,search,compare) userdn="ldap:///self";)

Modification or removal may affect applications; must be tested

The following default Global ACIs exist in this category:

Anonymous Extended Operations "Read" access - allows anonymous and authenticated users to request the LDAP extended operations that are specified by OID: See Reference › Appendix H. LDAP Extended Operations for further information. ds-cfg-global-aci: (extop="1.3.6.1.4.1.26027.1.6.1 || 1.3.6.1.4.1.26027.1.6.3 || 1.3.6.1.4.1.4203.1.11.1 || 1.3.6.1.4.1.1466.20037 || 1.3.6.1.4.1.4203.1.11.3") (version 3.0; acl "Anonymous extended operation access"; allow(read) userdn="ldap:///anyone";)
Anonymous LDAP Control "Read" access - allows anonymous and authenticated users to use the LDAP controls that are specified by OID: See Reference › Appendix G. LDAP Controls for further information. ds-cfg-global-aci: (targetcontrol="2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 1.2.840.113556.1.4.1413") (version 3.0; acl "Anonymous control access"; allow(read) userdn="ldap:///anyone";)
Authenticated users LDAP Control "Read" access - allows authenticated users to use the LDAP controls that are specified by OID: See Reference › Appendix G. LDAP Controls for further information. ds-cfg-global-aci: (targetcontrol="1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.840.113556.1.4.319 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9") (version 3.0; acl "Authenticated users control access"; allow(read) userdn="ldap:///all";)
Anonymous Schema-related Operational Attributes "Read" access - allows anonymous and authenticated users to read LDAP schema definitions: ds-cfg-global-aci: (target="ldap:///cn=schema")(targetscope="base")(targetattr="objectClass||attributeTypes||dITContentRules||dITStructureRules||ldapSyntaxes||matchingRules||matchingRuleUse||nameForms||objectClasses")(version 3.0; acl "User-Visible Schema Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)
Anonymous User-visible Operational Attributes "Read" access - allows anonymous and authenticated users to read operational attributes related to entry updates and entry identification: ds-cfg-global-aci: (targetattr="createTimestamp||creatorsName||modifiersName||modifyTimestamp||entryDN||entryUUID||subschemaSubentry||etag||governingStructureRule||structuralObjectClass||hasSubordinates||numSubordinates")(version 3.0; acl "User-Visible Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)

Modification or removal may affect applications and is not recommended; must be tested

The following default Global ACI exists in this category:

Anonymous root DSE attributes "Read" access - allows anonymous and authenticated users to read attributes that describe what features the server supports: ds-cfg-global-aci: (target="ldap:///")(targetscope="base")(targetattr="objectClass||namingContexts||supportedAuthPasswordSchemes||supportedControl||supportedExtension||supportedFeatures||supportedLDAPVersion||supportedSASLMechanisms||supportedTLSCiphers||supportedTLSProtocols||vendorName||vendorVersion")(version 3.0; acl "User-Visible Root DSE Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)

Must not be modified or deleted