IN-CS2-SDF-BasicAccessControl (Q.1228:09/1997)

-- Module IN-CS2-SDF-BasicAccessControl (Q.1228:09/1997)
-- See also ITU-T Q.1228 (09/1997)
-- See also the index of all ASN.1 assignments needed in this document
IN-CS2-SDF-BasicAccessControl {itu-t recommendation q 1228 modules(0)
  sdfBasicAccessControl(10) version1(0)} DEFINITIONS ::=
BEGIN

-- EXPORTS All 
-- The types and values defined in this module are exported for use in the other ASN.1 modules contained 
-- within the Directory Specifications, and for the use of other applications which will use them to access 
-- Directory services. Other applications may use them for their own purposes, but this will not constrain
-- extensions and modifications needed to maintain or improve the Directory service.
IMPORTS
  informationFramework, upperBounds, selectedAttributeTypes,
    basicAccessControl, directoryAbstractService
    FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1)
      usefulDefinitions(0) 3}
  ATTRIBUTE, AttributeType,
    --AttributeTypeAndValue, 
    SubtreeSpecification, ContextAssertion
    FROM InformationFramework {joint-iso-itu-t ds(5) module(1)
      informationFramework(1) 3}
  AttributeTypeAndValue, MaxValueCount, RestrictedValue, AuthenticationLevel,
    Precedence
    FROM BasicAccessControl {joint-iso-itu-t ds(5) module(1)
      basicAccessControl(24) 3}
  id-aca-prescriptiveACI, id-aca-entryACI, id-aca-subentryACI,
    sdf-InformationFramework
    FROM IN-CS2-object-identifiers {itu-t recommendation q 1228 modules(0)
      in-cs2-object-identifiers(17) version1(0)}
  ub-tag
    FROM UpperBounds {joint-iso-itu-t ds(5) module(1) upperBounds(10) 3}
  METHOD
    FROM IN-CS2-SDF-InformationFramework {itu-t recommendation q 1228
      modules(0) sdfInformationFramework(9) version1(0)}
  --sdf-InformationFramework,
  Filter
    FROM DirectoryAbstractService {joint-iso-itu-t ds(5) module(1)
      directoryAbstractService(2) 3}
  NameAndOptionalUID, directoryStringFirstComponentMatch, DirectoryString{}
    FROM SelectedAttributeTypes {joint-iso-itu-t ds(5) module(1)
      selectedAttributeTypes(5) 3};

-- types 
ACIItem ::= SEQUENCE {
  identificationTag    DirectoryString{ub-tag},
  precedence           Precedence,
  authenticationLevel  AuthenticationLevel,
  itemOrUserFirst
    CHOICE {itemFirst
              [0]  SEQUENCE {protectedItems   ProtectedItems,
                             itemPermissions  SET OF ItemPermission},
            userFirst
              [1]  SEQUENCE {userClasses      UserClasses,
                             userPermissions  SET OF UserPermission}}
}

ProtectedItems ::= SEQUENCE {
  entry                           [0]  NULL OPTIONAL,
  allUserAttributeTypes           [1]  NULL OPTIONAL,
  attributeType                   [2]  SET OF AttributeType OPTIONAL,
  allAttributeValues              [3]  SET OF AttributeType OPTIONAL,
  allUserAttributeTypesAndValues  [4]  NULL OPTIONAL,
  attributeValue                  [5]  SET OF AttributeTypeAndValue OPTIONAL,
  selfValue                       [6]  SET OF AttributeType OPTIONAL,
  rangeOfValues                   [7]  Filter OPTIONAL,
  maxValueCount                   [8]  SET OF MaxValueCount OPTIONAL,
  maxImmSub                       [9]  INTEGER OPTIONAL,
  restrictedBy                    [10]  SET OF RestrictedValue OPTIONAL,
  contexts                        [11]  SET OF ContextAssertion OPTIONAL,
  entryMethods                    [30]  SET OF MethodIDs OPTIONAL
}

MethodIDs ::= METHOD.&id

UserClasses ::= SEQUENCE {
  allUsers   [0]  NULL OPTIONAL,
  thisEntry  [1]  NULL OPTIONAL,
  name       [2]  SET OF NameAndOptionalUID OPTIONAL,
  userGroup  [3]  SET OF NameAndOptionalUID OPTIONAL,
  -- dn component must be the name of an
  -- entry of GroupOfUniqueNames 
  subtree    [4]  SET OF SubtreeSpecification OPTIONAL
}

ItemPermission ::= SEQUENCE {
  precedence        Precedence OPTIONAL,
  -- defaults to precedence in ACIItem 
  userClasses       UserClasses,
  grantsAndDenials  GrantsAndDenials
}

UserPermission ::= SEQUENCE {
  precedence        Precedence OPTIONAL,
  -- defaults to precedence in ACIItem
  protectedItems    ProtectedItems,
  grantsAndDenials  GrantsAndDenials
}

GrantsAndDenials ::= BIT STRING {
  -- permissions that may be used in conjunction
  -- with any component of ProtectedItems 
  grantAdd(0), denyAdd(1), grantDiscloseOnError(2), denyDiscloseOnError(3),
  grantRead(4), denyRead(5), grantRemove(6),
  denyRemove(7),
  -- permissions that may be used only in conjunction
  -- with the entry component
  grantBrowse(8), denyBrowse(9), grantExport(10), denyExport(11),
  grantImport(12), denyImport(13), grantModify(14), denyModify(15),
  grantRename(16), denyRename(17), grantReturnDN(18),
  denyReturnDN(19),
  -- permissions that may be used in conjunction
  -- with any component, except entry, of ProtectedItems 
  grantCompare(20), denyCompare(21), grantFilterMatch(22),
  denyFilterMatch(23),
  -- permissions that may be used in conjunction
  -- with entryMethod component of ProtectedItems 
  grantExecuteMethod(30), denyExecuteMethod(31)}

-- attributes 
prescriptiveACI ATTRIBUTE ::= {
  WITH SYNTAX             ACIItem
  EQUALITY MATCHING RULE  directoryStringFirstComponentMatch
  USAGE                   directoryOperation
  ID                      id-aca-prescriptiveACI
}

entryACI ATTRIBUTE ::= {
  WITH SYNTAX             ACIItem
  EQUALITY MATCHING RULE  directoryStringFirstComponentMatch
  USAGE                   directoryOperation
  ID                      id-aca-entryACI
}

subentryACI ATTRIBUTE ::= {
  WITH SYNTAX             ACIItem
  EQUALITY MATCHING RULE  directoryStringFirstComponentMatch
  USAGE                   directoryOperation
  ID                      id-aca-subentryACI
}

END
-- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D