1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
|
-- Module BasicAccessControl (X.501:08/1997)
BasicAccessControl {joint-iso-itu-t ds(5) module(1) basicAccessControl(24) 3}
DEFINITIONS ::=
BEGIN
-- EXPORTS All
-- The types and values defined in this module are exported for use in the other ASN.1 modules contained
-- within the Directory Specifications, and for the use of other applications which will use them to access
-- Directory services. Other applications may use them for their own purposes, but this will not constrain
-- extensions and modifications needed to maintain or improve the Directory service.
IMPORTS
id-aca, id-acScheme, informationFramework, upperBounds,
selectedAttributeTypes, directoryAbstractService
FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1)
usefulDefinitions(0) 3}
ATTRIBUTE, AttributeType, DistinguishedName, ContextAssertion,
SubtreeSpecification, SupportedAttributes, MATCHING-RULE,
objectIdentifierMatch, Refinement
FROM InformationFramework informationFramework
Filter
FROM DirectoryAbstractService directoryAbstractService
ub-tag
FROM UpperBounds upperBounds
NameAndOptionalUID, directoryStringFirstComponentMatch, DirectoryString{}
FROM SelectedAttributeTypes selectedAttributeTypes;
-- types
ACIItem ::= SEQUENCE {
identificationTag DirectoryString{ub-tag},
precedence Precedence,
authenticationLevel AuthenticationLevel,
itemOrUserFirst
CHOICE {itemFirst
[0] SEQUENCE {protectedItems ProtectedItems,
itemPermissions SET OF ItemPermission},
userFirst
[1] SEQUENCE {userClasses UserClasses,
userPermissions SET OF UserPermission}}
}
Precedence ::= INTEGER(0..255)
ProtectedItems ::= SEQUENCE {
entry [0] NULL OPTIONAL,
allUserAttributeTypes [1] NULL OPTIONAL,
attributeType
[2] SET SIZE (1..MAX) OF AttributeType OPTIONAL,
allAttributeValues
[3] SET SIZE (1..MAX) OF AttributeType OPTIONAL,
allUserAttributeTypesAndValues [4] NULL OPTIONAL,
attributeValue
[5] SET SIZE (1..MAX) OF AttributeTypeAndValue OPTIONAL,
selfValue
[6] SET SIZE (1..MAX) OF AttributeType OPTIONAL,
rangeOfValues [7] Filter OPTIONAL,
maxValueCount
[8] SET SIZE (1..MAX) OF MaxValueCount OPTIONAL,
maxImmSub [9] INTEGER OPTIONAL,
restrictedBy
[10] SET SIZE (1..MAX) OF RestrictedValue OPTIONAL,
contexts
[11] SET SIZE (1..MAX) OF ContextAssertion OPTIONAL,
classes [12] Refinement OPTIONAL
}
MaxValueCount ::= SEQUENCE {type AttributeType,
maxCount INTEGER
}
RestrictedValue ::= SEQUENCE {type AttributeType,
valuesIn AttributeType
}
UserClasses ::= SEQUENCE {
allUsers [0] NULL OPTIONAL,
thisEntry [1] NULL OPTIONAL,
name [2] SET SIZE (1..MAX) OF NameAndOptionalUID OPTIONAL,
userGroup [3] SET SIZE (1..MAX) OF NameAndOptionalUID OPTIONAL,
-- dn component must be the name of an
-- entry of GroupOfUniqueNames
subtree [4] SET SIZE (1..MAX) OF SubtreeSpecification OPTIONAL
}
ItemPermission ::= SEQUENCE {
precedence Precedence OPTIONAL,
-- defaults to precedence in ACIItem
userClasses UserClasses,
grantsAndDenials GrantsAndDenials
}
UserPermission ::= SEQUENCE {
precedence Precedence OPTIONAL,
-- defaults to precedence in ACIItem
protectedItems ProtectedItems,
grantsAndDenials GrantsAndDenials
}
AuthenticationLevel ::= CHOICE {
basicLevels
SEQUENCE {level ENUMERATED {none(0), simple(1), strong(2)},
localQualifier INTEGER OPTIONAL,
signed BOOLEAN DEFAULT FALSE},
other EXTERNAL
}
GrantsAndDenials ::= BIT STRING {
-- permissions that may be used in conjunction
-- with any component of ProtectedItems
grantAdd(0), denyAdd(1), grantDiscloseOnError(2), denyDiscloseOnError(3),
grantRead(4), denyRead(5), grantRemove(6),
denyRemove(7),
-- permissions that may be used only in conjunction
-- with the entry component
grantBrowse(8), denyBrowse(9), grantExport(10), denyExport(11),
grantImport(12), denyImport(13), grantModify(14), denyModify(15),
grantRename(16), denyRename(17), grantReturnDN(18),
denyReturnDN(19),
-- permissions that may be used in conjunction
-- with any component, except entry, of ProtectedItems
grantCompare(20), denyCompare(21), grantFilterMatch(22), denyFilterMatch(23),
grantInvoke(24), denyInvoke(25)}
AttributeTypeAndValue ::= SEQUENCE {
type ATTRIBUTE.&id({SupportedAttributes}),
value ATTRIBUTE.&Type({SupportedAttributes}{@type})
}
-- attributes
accessControlScheme ATTRIBUTE ::= {
WITH SYNTAX OBJECT IDENTIFIER
EQUALITY MATCHING RULE objectIdentifierMatch
SINGLE VALUE TRUE
USAGE directoryOperation
ID id-aca-accessControlScheme
}
prescriptiveACI ATTRIBUTE ::= {
WITH SYNTAX ACIItem
EQUALITY MATCHING RULE directoryStringFirstComponentMatch
USAGE directoryOperation
ID id-aca-prescriptiveACI
}
entryACI ATTRIBUTE ::= {
WITH SYNTAX ACIItem
EQUALITY MATCHING RULE directoryStringFirstComponentMatch
USAGE directoryOperation
ID id-aca-entryACI
}
subentryACI ATTRIBUTE ::= {
WITH SYNTAX ACIItem
EQUALITY MATCHING RULE directoryStringFirstComponentMatch
USAGE directoryOperation
ID id-aca-subentryACI
}
-- object identifier assignments
-- attributes
id-aca-accessControlScheme OBJECT IDENTIFIER ::=
{id-aca 1}
id-aca-prescriptiveACI OBJECT IDENTIFIER ::= {id-aca 4}
id-aca-entryACI OBJECT IDENTIFIER ::= {id-aca 5}
id-aca-subentryACI OBJECT IDENTIFIER ::= {id-aca 6}
-- access control schemes -
basicAccessControlScheme OBJECT IDENTIFIER ::=
{id-acScheme 1}
simplifiedAccessControlScheme OBJECT IDENTIFIER ::= {id-acScheme 2}
rule-based-access-control OBJECT IDENTIFIER ::= {id-acScheme 3}
rule-and-basic-access-control OBJECT IDENTIFIER ::= {id-acScheme 4}
rule-and-simple-access-control OBJECT IDENTIFIER ::= {id-acScheme 5}
END -- BasicAccessControl
-- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D
|
