X.500 Standard status
(Implementors' Guide)

X.509 Related activities

How to be involved

More Information

Tutorial section 1
X.500 General

Tutorial section 2
X.509 specific

Other PKI organizations

edit SideBar


Access Control

Access control is about who may do what based on the level of authentication. This section is related to protection of information stored in a directory, but concepts described here could applied in other areas.

A piece of directory information requiring some kind of individual protection against unauthorized access is also called a protected item. A protected item can be all the information stored about an entity, or it can be a particular piece of such information, for example a secret telephone number.

The access control can be related to different types of operations. As an example, a user may be allowed to be read information, but not to modify it. At the extreme, an accessing user may not even know the existence of a certain piece of information.

The two views of access control

Two views of access control
Figure 1 - Two views of access control

When it comes to access control it a question about:

  • information stored in a directory to be protected; and
  • users wanting to access that information.

Access control can therefore be viewed in two ways:

  • For each piece of information (protected item) it can be defined who is allowed access that information and what operations are allowed for each user (referred to as item first).
  • For each user it can be defined what information that user my access and he type of operation allowed.(referred to as user first).

Types of protected items

For each directory entry a directory operation is accessing, a protected item may be of different level:

  • the complete entry;
  • all user attribute types within the entry, but not their values;
  • all user attribute types and values within the entry;
  • specific attribute types, but not their values;
  • specific attribute types with all their values;
  • specific attribute values within specific attribute types;
  • self value (the name of the requestor); and
  • a few more sophisticated cases

Identification of users

User may be listed individually or in groups as indicated:

  • owner of entry
  • specific user
  • user group
  • all users
  • subtree

Item first definitions

Item first
Figure 2 - Item first

User first definitions

User first
Figure 3 - User first

Page Actions

Recent Changes

Group & Page

Back Links