Restricting the CRUD permissions to the Administrators

Tagged: , ,

This topic has 1 reply, 2 voices, and was last updated 7 years, 4 months ago by Ludo.

  • Author
  • #3540

    We have two applications protected by OpenAM and OpenDJ is the directory server.

    (a) Test1
    (b) Test2

    I have defined following 3 OUs under base DN dc=root,dc=com
    (a)ou=Administrators,dc=root,dc=com: Under this OU, I have just 2-3 Administrators.
    (b)ou=Groups,dc=root,dc=com : Under this OU , I have defined two groups for “Test1” and “Test2” which has respective members for “Test1” and “Test2”
    (c)ou=People,dc=root,dc=com : Under this OU, I have all the users for Test1, Test2 and Administrator.

    How should I restrict permissions to only allow the users within OU=Administrators to carry out all the CRUD (Created, Read, Update and Delete) activities.
    Currently, The Application developers make REST calls to OpenAM with “amAdmin” to carry out these activities. But I don’t want them to use the OpenAM – Admin user details.
    Pls help.
    My initial investigation shows that I will have to execute ACI statement. However, I am not aware how to draft ACI statements and executing them.
    I will attach a screenshot for further clarification.(If I can !)

    • This topic was modified 7 years, 4 months ago by Dhawal.


    In OpenDJ 2.6, the access controls enforced when calling the REST APIs are the same as when accessing through LDAP. So user A has exactly the same rights regardless of the protocol.
    In future versions, it will be possible to protect the REST endpoint and restrict who can make calls to it.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?