Grant the ability to users to change their own attribute values using [This]

  • Document ID:7022600
  • Creation Date:24-Jan-2018
  • Modified Date:24-Jan-2018
    • Micro Focus Products:
      eDirectory

Environment

Adding the [This] trustee
Allowing mass users rights to their own object and not others
Novell eDirectory 8.7.1 for All Platforms
Novell eDirectory 8.7.3 for All Platforms

Situation

Grant the ability to users to change their own attribute values using [This]

Resolution

The existing utilities do not provide direct support for entering [This] as a trustee so modifications must be performed via LDAP using an LDIF file. However iMonitor and ConsoleOne will allow you to correctly view modify rights to the [This] trustee once it is added via the LDIF below.
The following is an example of a working LDIF file to allow all objects in the tree to modify their own email address.  Remember that this is accessing eDirectory via the LDAP server so LDAP attribute mappings may need to be used depending on the attribute you wish to grant access to.

<--- Start of LDIF File --->

dn: o=Novell
changetype: modify
add: ACL
ACL: 14#subtree#[THIS]#mail

<--- End of LDIF File --->

This LDIF file will modify the ACL of the top level organizational unit called "Novell" to allow Read,Write and Inheritable privileges to the mail attribute for the tree.  The mail attribute is mapped via LDAP attribute mappings on the LDAP group object to point to "Internet Email Address" in the eDirectory schema.

The LDIF file can be used via ICE:

ice -S LDIF -f sys:system\mail.ldif -D LDAP -s  127.0.0.1 -d cn=admin,o=novell -w password

 
You should now find that users can modify their own email address via utilities such as LDAP or ConsoleOne but will not be able to modify the email address of other objects in the tree.  Once the [This] trustee has been added to the tree, you can use iManager or ConsoleOne to add and remove rights.

Additional Information

eDirectory provides the ability for objects to manage their own attributes, while not allowing access to attributes on other objects and without granting ACLs through out the tree.  This special type of trustee is referred to as [This].  A good example would be an Administrator who wishes all users in the tree to be able to modify their own email address, but no one else's email address.  This can be accomplished by making [This] a trustee of the top level organizational unit with read/write and inheritable privileges to the "Internet Email Address" attribute.

Formerly known as TID# 10087020
Formerly known as TID# NOVL92510