-- ASN module extracted from ITU-T X.501 (10/2016)
BasicAccessControl {joint-iso-itu-t ds(5) module(1) basicAccessControl(24) 8}
DEFINITIONS ::=
BEGIN
-- EXPORTS All
-- The types and values defined in this module are exported for use in the other ASN.1
-- modules contained within these Directory Specifications, and for the use of other
-- applications which will use them to access Directory services. Other applications may
-- use them for their own purposes, but this will not constrain extensions and
-- modifications needed to maintain or improve the Directory service.
IMPORTS
-- from Rec. ITU-T X.501 | ISO/IEC 9594-2
directoryAbstractService, id-aca, id-acScheme, informationFramework,
selectedAttributeTypes
FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1) usefulDefinitions(0) 8}
ATTRIBUTE, AttributeType, AttributeTypeAndValue, ContextAssertion, DistinguishedName,
MATCHING-RULE, objectIdentifierMatch, Refinement, SubtreeSpecification,
SupportedAttributes
FROM InformationFramework informationFramework
-- from Rec. ITU-T X.511 | ISO/IEC 9594-3
Filter
FROM DirectoryAbstractService directoryAbstractService
-- from Rec. ITU-T X.520 | ISO/IEC 9594-6
directoryStringFirstComponentMatch, NameAndOptionalUID,
UnboundedDirectoryString, UniqueIdentifier
FROM SelectedAttributeTypes selectedAttributeTypes;
accessControlScheme ATTRIBUTE ::= {
WITH SYNTAX OBJECT IDENTIFIER
EQUALITY MATCHING RULE objectIdentifierMatch
SINGLE VALUE TRUE
USAGE directoryOperation
ID id-aca-accessControlScheme }
-- types
ACIItem ::= SEQUENCE {
identificationTag UnboundedDirectoryString,
precedence Precedence,
authenticationLevel AuthenticationLevel,
itemOrUserFirst CHOICE {
itemFirst [0] SEQUENCE {
protectedItems ProtectedItems,
itemPermissions SET OF ItemPermission,
...},
userFirst [1] SEQUENCE {
userClasses UserClasses,
userPermissions SET OF UserPermission,
...},
...},
... }
Precedence ::= INTEGER(0..255,...)
ProtectedItems ::= SEQUENCE {
entry [0] NULL OPTIONAL,
allUserAttributeTypes [1] NULL OPTIONAL,
attributeType [2] SET SIZE (1..MAX) OF AttributeType
OPTIONAL,
allAttributeValues [3] SET SIZE (1..MAX) OF AttributeType
OPTIONAL,
allUserAttributeTypesAndValues [4] NULL OPTIONAL,
attributeValue [5] SET SIZE (1..MAX) OF AttributeTypeAndValue
OPTIONAL,
selfValue [6] SET SIZE (1..MAX) OF AttributeType
OPTIONAL,
rangeOfValues [7] Filter OPTIONAL,
maxValueCount [8] SET SIZE (1..MAX) OF MaxValueCount
OPTIONAL,
maxImmSub [9] INTEGER OPTIONAL,
restrictedBy [10] SET SIZE (1..MAX) OF RestrictedValue
OPTIONAL,
contexts [11] SET SIZE (1..MAX) OF ContextAssertion
OPTIONAL,
classes [12] Refinement OPTIONAL,
... }
MaxValueCount ::= SEQUENCE {
type AttributeType,
maxCount INTEGER,
... }
RestrictedValue ::= SEQUENCE {
type AttributeType,
valuesIn AttributeType,
... }
UserClasses ::= SEQUENCE {
allUsers [0] NULL OPTIONAL,
thisEntry [1] NULL OPTIONAL,
name [2] SET SIZE (1..MAX) OF NameAndOptionalUID OPTIONAL,
userGroup [3] SET SIZE (1..MAX) OF NameAndOptionalUID OPTIONAL,
-- dn component shall be the name of an
-- entry of GroupOfUniqueNames
subtree [4] SET SIZE (1..MAX) OF SubtreeSpecification OPTIONAL,
... }
ItemPermission ::= SEQUENCE {
precedence Precedence OPTIONAL,
-- defaults to precedence in ACIItem
userClasses UserClasses,
grantsAndDenials GrantsAndDenials,
... }
UserPermission ::= SEQUENCE {
precedence Precedence OPTIONAL,
-- defaults to precedence in ACIItem
protectedItems ProtectedItems,
grantsAndDenials GrantsAndDenials,
... }
AuthenticationLevel ::= CHOICE {
basicLevels SEQUENCE {
level ENUMERATED {none(0), simple(1), strong(2),...},
localQualifier INTEGER OPTIONAL,
signed BOOLEAN DEFAULT FALSE,
...},
other EXTERNAL,
... }
GrantsAndDenials ::= BIT STRING {
-- permissions that may be used in conjunction
-- with any component of ProtectedItems
grantAdd (0),
denyAdd (1),
grantDiscloseOnError (2),
denyDiscloseOnError (3),
grantRead (4),
denyRead (5),
grantRemove (6),
denyRemove (7),
-- permissions that may be used only in conjunction
-- with the entry component
grantBrowse (8),
denyBrowse (9),
grantExport (10),
denyExport (11),
grantImport (12),
denyImport (13),
grantModify (14),
denyModify (15),
grantRename (16),
denyRename (17),
grantReturnDN (18),
denyReturnDN (19),
-- permissions that may be used in conjunction
-- with any component, except entry, of ProtectedItems
grantCompare (20),
denyCompare (21),
grantFilterMatch (22),
denyFilterMatch (23),
grantInvoke (24),
denyInvoke (25) }
-- attributes
prescriptiveACI ATTRIBUTE ::= {
WITH SYNTAX ACIItem
EQUALITY MATCHING RULE directoryStringFirstComponentMatch
USAGE directoryOperation
ID id-aca-prescriptiveACI }
entryACI ATTRIBUTE ::= {
WITH SYNTAX ACIItem
EQUALITY MATCHING RULE directoryStringFirstComponentMatch
USAGE directoryOperation
ID id-aca-entryACI }
subentryACI ATTRIBUTE ::= {
WITH SYNTAX ACIItem
EQUALITY MATCHING RULE directoryStringFirstComponentMatch
USAGE directoryOperation
ID id-aca-subentryACI }
-- object identifier assignments
-- attributes
id-aca-accessControlScheme OBJECT IDENTIFIER ::= {id-aca 1}
id-aca-prescriptiveACI OBJECT IDENTIFIER ::= {id-aca 4}
id-aca-entryACI OBJECT IDENTIFIER ::= {id-aca 5}
id-aca-subentryACI OBJECT IDENTIFIER ::= {id-aca 6}
-- access control schemes
basicAccessControlScheme OBJECT IDENTIFIER ::= {id-acScheme 1}
simplifiedAccessControlScheme OBJECT IDENTIFIER ::= {id-acScheme 2}
rule-based-access-control OBJECT IDENTIFIER ::= {id-acScheme 3}
rule-and-basic-access-control OBJECT IDENTIFIER ::= {id-acScheme 4}
rule-and-simple-access-control OBJECT IDENTIFIER ::= {id-acScheme 5}
END -- BasicAccessControl