-- ASN module extracted from ITU-T X.501 (10/2019)
BasicAccessControl
{joint-iso-itu-t ds(5) module(1) basicAccessControl(24) 10}
DEFINITIONS ::=
BEGIN
-- EXPORTS All
/*
The types and values defined in this module are exported for use in the other ASN.1
modules contained within these Directory Specifications, and for the use of other
applications which will use them to access Directory services. Other applications may
use them for their own purposes, but this will not constrain extensions and
modifications needed to maintain or improve the Directory service.
*/
IMPORTS
-- from Rec. ITU-T X.501 | ISO/IEC 9594-2
id-aca, id-acScheme,
ATTRIBUTE, AttributeType, AttributeTypeAndValue, DistinguishedName,
MATCHING-RULE, objectIdentifierMatch, -- From InformationFramework
UnboundedDirectoryString -- From SectedAttribute
FROM UsefulDefinitions
{joint-iso-itu-t ds(5) module(1) usefulDefinitions(0) 10} WITH SUCCESSORS
--ATTRIBUTE, AttributeType, AttributeTypeAndValue, --ContextAssertion,--
--DistinguishedName, MATCHING-RULE, objectIdentifierMatch, -- Refinement,
SubtreeSpecification --, SupportedAttributes
FROM InformationFramework
{joint-iso-itu-t ds(5) module(1) informationFramework(1) 10} WITH SUCCESSORS
-- from Rec. ITU-T X.511 | ISO/IEC 9594-3
Filter
FROM DirectoryAbstractService
{joint-iso-itu-t ds(5) module(1) directoryAbstractService(2) 10} WITH SUCCESSORS
-- from Rec. ITU-T X.520 | ISO/IEC 9594-6
directoryStringFirstComponentMatch, NameAndOptionalUID,
--UnboundedDirectoryString, -- UniqueIdentifier
FROM SelectedAttributeTypes
{joint-iso-itu-t ds(5) module(1) selectedAttributeTypes(5) 10} WITH SUCCESSORS ;
accessControlScheme ATTRIBUTE ::= {
WITH SYNTAX OBJECT IDENTIFIER
EQUALITY MATCHING RULE objectIdentifierMatch
SINGLE VALUE TRUE
USAGE directoryOperation
ID id-aca-accessControlScheme }
-- types
ACIItem ::= SEQUENCE {
identificationTag UnboundedDirectoryString,
precedence Precedence,
authenticationLevel AuthenticationLevel,
itemOrUserFirst CHOICE {
itemFirst [0] SEQUENCE {
protectedItems ProtectedItems,
itemPermissions SET OF ItemPermission,
...},
userFirst [1] SEQUENCE {
userClasses UserClasses,
userPermissions SET OF UserPermission,
...},
...},
... }
Precedence ::= INTEGER(0..255,...)
ProtectedItems ::= SEQUENCE {
entry [0] NULL OPTIONAL,
allUserAttributeTypes [1] NULL OPTIONAL,
attributeType [2] SET SIZE (1..MAX) OF AttributeType
OPTIONAL,
allAttributeValues [3] SET SIZE (1..MAX) OF AttributeType
OPTIONAL,
allUserAttributeTypesAndValues [4] NULL OPTIONAL,
attributeValue [5] SET SIZE (1..MAX) OF AttributeTypeAndValue
OPTIONAL,
selfValue [6] SET SIZE (1..MAX) OF AttributeType
OPTIONAL,
rangeOfValues [7] Filter OPTIONAL,
maxValueCount [8] SET SIZE (1..MAX) OF MaxValueCount
OPTIONAL,
maxImmSub [9] INTEGER OPTIONAL,
restrictedBy [10] SET SIZE (1..MAX) OF RestrictedValue
OPTIONAL,
contexts [11] SET SIZE (1..MAX) OF ContextAssertion
OPTIONAL,
classes [12] Refinement OPTIONAL,
... }
MaxValueCount ::= SEQUENCE {
type AttributeType,
maxCount INTEGER,
... }
RestrictedValue ::= SEQUENCE {
type AttributeType,
valuesIn AttributeType,
... }
UserClasses ::= SEQUENCE {
allUsers [0] NULL OPTIONAL,
thisEntry [1] NULL OPTIONAL,
name [2] SET SIZE (1..MAX) OF NameAndOptionalUID OPTIONAL,
userGroup [3] SET SIZE (1..MAX) OF NameAndOptionalUID OPTIONAL,
-- dn component shall be the name of an
-- entry of GroupOfUniqueNames
subtree [4] SET SIZE (1..MAX) OF SubtreeSpecification OPTIONAL,
... }
ItemPermission ::= SEQUENCE {
precedence Precedence OPTIONAL,
-- defaults to precedence in ACIItem
userClasses UserClasses,
grantsAndDenials GrantsAndDenials,
... }
UserPermission ::= SEQUENCE {
precedence Precedence OPTIONAL,
-- defaults to precedence in ACIItem
protectedItems ProtectedItems,
grantsAndDenials GrantsAndDenials,
... }
AuthenticationLevel ::= CHOICE {
basicLevels SEQUENCE {
level ENUMERATED {none(0), simple(1), strong(2),...},
localQualifier INTEGER OPTIONAL,
signed BOOLEAN DEFAULT FALSE,
...},
other EXTERNAL,
... }
GrantsAndDenials ::= BIT STRING {
-- permissions that may be used in conjunction
-- with any component of ProtectedItems
grantAdd (0),
denyAdd (1),
grantDiscloseOnError (2),
denyDiscloseOnError (3),
grantRead (4),
denyRead (5),
grantRemove (6),
denyRemove (7),
-- permissions that may be used only in conjunction
-- with the entry component
grantBrowse (8),
denyBrowse (9),
grantExport (10),
denyExport (11),
grantImport (12),
denyImport (13),
grantModify (14),
denyModify (15),
grantRename (16),
denyRename (17),
grantReturnDN (18),
denyReturnDN (19),
-- permissions that may be used in conjunction
-- with any component, except entry, of ProtectedItems
grantCompare (20),
denyCompare (21),
grantFilterMatch (22),
denyFilterMatch (23),
grantInvoke (24),
denyInvoke (25) }
-- attributes
prescriptiveACI ATTRIBUTE ::= {
WITH SYNTAX ACIItem
EQUALITY MATCHING RULE directoryStringFirstComponentMatch
USAGE directoryOperation
ID id-aca-prescriptiveACI }
entryACI ATTRIBUTE ::= {
WITH SYNTAX ACIItem
EQUALITY MATCHING RULE directoryStringFirstComponentMatch
USAGE directoryOperation
ID id-aca-entryACI }
subentryACI ATTRIBUTE ::= {
WITH SYNTAX ACIItem
EQUALITY MATCHING RULE directoryStringFirstComponentMatch
USAGE directoryOperation
ID id-aca-subentryACI }
-- object identifier assignments
-- attributes
id-aca-accessControlScheme OBJECT IDENTIFIER ::= {id-aca 1}
id-aca-prescriptiveACI OBJECT IDENTIFIER ::= {id-aca 4}
id-aca-entryACI OBJECT IDENTIFIER ::= {id-aca 5}
id-aca-subentryACI OBJECT IDENTIFIER ::= {id-aca 6}
-- access control schemes
basicAccessControlScheme OBJECT IDENTIFIER ::= {id-acScheme 1}
simplifiedAccessControlScheme OBJECT IDENTIFIER ::= {id-acScheme 2}
rule-based-access-control OBJECT IDENTIFIER ::= {id-acScheme 3}
rule-and-basic-access-control OBJECT IDENTIFIER ::= {id-acScheme 4}
rule-and-simple-access-control OBJECT IDENTIFIER ::= {id-acScheme 5}
END -- BasicAccessControl