-- Module IN-CS2-SDF-BasicAccessControl (Q.1228:09/1997)
-- See also ITU-T Q.1228 (09/1997)
-- See also the index of all ASN.1 assignments needed in this document
IN-CS2-SDF-BasicAccessControl {itu-t recommendation q 1228 modules(0)
sdfBasicAccessControl(10) version1(0)} DEFINITIONS ::=
BEGIN
-- EXPORTS All
-- The types and values defined in this module are exported for use in the other ASN.1 modules contained
-- within the Directory Specifications, and for the use of other applications which will use them to access
-- Directory services. Other applications may use them for their own purposes, but this will not constrain
-- extensions and modifications needed to maintain or improve the Directory service.
IMPORTS
informationFramework, upperBounds, selectedAttributeTypes,
basicAccessControl, directoryAbstractService
FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1)
usefulDefinitions(0) 3}
ATTRIBUTE, AttributeType,
--AttributeTypeAndValue,
SubtreeSpecification, ContextAssertion
FROM InformationFramework {joint-iso-itu-t ds(5) module(1)
informationFramework(1) 3}
AttributeTypeAndValue, MaxValueCount, RestrictedValue, AuthenticationLevel,
Precedence
FROM BasicAccessControl {joint-iso-itu-t ds(5) module(1)
basicAccessControl(24) 3}
id-aca-prescriptiveACI, id-aca-entryACI, id-aca-subentryACI,
sdf-InformationFramework
FROM IN-CS2-object-identifiers {itu-t recommendation q 1228 modules(0)
in-cs2-object-identifiers(17) version1(0)}
ub-tag
FROM UpperBounds {joint-iso-itu-t ds(5) module(1) upperBounds(10) 3}
METHOD
FROM IN-CS2-SDF-InformationFramework {itu-t recommendation q 1228
modules(0) sdfInformationFramework(9) version1(0)}
--sdf-InformationFramework,
Filter
FROM DirectoryAbstractService {joint-iso-itu-t ds(5) module(1)
directoryAbstractService(2) 3}
NameAndOptionalUID, directoryStringFirstComponentMatch, DirectoryString{}
FROM SelectedAttributeTypes {joint-iso-itu-t ds(5) module(1)
selectedAttributeTypes(5) 3};
-- types
ACIItem ::= SEQUENCE {
identificationTag DirectoryString{ub-tag},
precedence Precedence,
authenticationLevel AuthenticationLevel,
itemOrUserFirst
CHOICE {itemFirst
[0] SEQUENCE {protectedItems ProtectedItems,
itemPermissions SET OF ItemPermission},
userFirst
[1] SEQUENCE {userClasses UserClasses,
userPermissions SET OF UserPermission}}
}
ProtectedItems ::= SEQUENCE {
entry [0] NULL OPTIONAL,
allUserAttributeTypes [1] NULL OPTIONAL,
attributeType [2] SET OF AttributeType OPTIONAL,
allAttributeValues [3] SET OF AttributeType OPTIONAL,
allUserAttributeTypesAndValues [4] NULL OPTIONAL,
attributeValue [5] SET OF AttributeTypeAndValue OPTIONAL,
selfValue [6] SET OF AttributeType OPTIONAL,
rangeOfValues [7] Filter OPTIONAL,
maxValueCount [8] SET OF MaxValueCount OPTIONAL,
maxImmSub [9] INTEGER OPTIONAL,
restrictedBy [10] SET OF RestrictedValue OPTIONAL,
contexts [11] SET OF ContextAssertion OPTIONAL,
entryMethods [30] SET OF MethodIDs OPTIONAL
}
MethodIDs ::= METHOD.&id
UserClasses ::= SEQUENCE {
allUsers [0] NULL OPTIONAL,
thisEntry [1] NULL OPTIONAL,
name [2] SET OF NameAndOptionalUID OPTIONAL,
userGroup [3] SET OF NameAndOptionalUID OPTIONAL,
-- dn component must be the name of an
-- entry of GroupOfUniqueNames
subtree [4] SET OF SubtreeSpecification OPTIONAL
}
ItemPermission ::= SEQUENCE {
precedence Precedence OPTIONAL,
-- defaults to precedence in ACIItem
userClasses UserClasses,
grantsAndDenials GrantsAndDenials
}
UserPermission ::= SEQUENCE {
precedence Precedence OPTIONAL,
-- defaults to precedence in ACIItem
protectedItems ProtectedItems,
grantsAndDenials GrantsAndDenials
}
GrantsAndDenials ::= BIT STRING {
-- permissions that may be used in conjunction
-- with any component of ProtectedItems
grantAdd(0), denyAdd(1), grantDiscloseOnError(2), denyDiscloseOnError(3),
grantRead(4), denyRead(5), grantRemove(6),
denyRemove(7),
-- permissions that may be used only in conjunction
-- with the entry component
grantBrowse(8), denyBrowse(9), grantExport(10), denyExport(11),
grantImport(12), denyImport(13), grantModify(14), denyModify(15),
grantRename(16), denyRename(17), grantReturnDN(18),
denyReturnDN(19),
-- permissions that may be used in conjunction
-- with any component, except entry, of ProtectedItems
grantCompare(20), denyCompare(21), grantFilterMatch(22),
denyFilterMatch(23),
-- permissions that may be used in conjunction
-- with entryMethod component of ProtectedItems
grantExecuteMethod(30), denyExecuteMethod(31)}
-- attributes
prescriptiveACI ATTRIBUTE ::= {
WITH SYNTAX ACIItem
EQUALITY MATCHING RULE directoryStringFirstComponentMatch
USAGE directoryOperation
ID id-aca-prescriptiveACI
}
entryACI ATTRIBUTE ::= {
WITH SYNTAX ACIItem
EQUALITY MATCHING RULE directoryStringFirstComponentMatch
USAGE directoryOperation
ID id-aca-entryACI
}
subentryACI ATTRIBUTE ::= {
WITH SYNTAX ACIItem
EQUALITY MATCHING RULE directoryStringFirstComponentMatch
USAGE directoryOperation
ID id-aca-subentryACI
}
END
-- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D