-- Module BasicAccessControl (X.501:02/2001) BasicAccessControl {joint-iso-itu-t ds(5) module(1) basicAccessControl(24) 4} DEFINITIONS ::= BEGIN -- EXPORTS All -- The types and values defined in this module are exported for use in the other ASN.1 modules contained -- within the Directory Specifications, and for the use of other applications which will use them to access -- Directory services. Other applications may use them for their own purposes, but this will not constrain -- extensions and modifications needed to maintain or improve the Directory service. IMPORTS -- from ITU-T Rec. X.501 | ISO/IEC 9594-2 directoryAbstractService, id-aca, id-acScheme, informationFramework, selectedAttributeTypes, upperBounds FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1) usefulDefinitions(0) 4} ATTRIBUTE, AttributeType, ContextAssertion, DistinguishedName, MATCHING-RULE, objectIdentifierMatch, Refinement, SubtreeSpecification, SupportedAttributes FROM InformationFramework {joint-iso-itu-t ds(5) module(1) informationFramework(1) 4} -- from ITU-T Rec. X.511 | ISO/IEC 9594-3 Filter FROM DirectoryAbstractService {joint-iso-itu-t ds(5) module(1) directoryAbstractService(2) 4} -- from ITU-T Rec. X.520 | ISO/IEC 9594-6 DirectoryString{}, directoryStringFirstComponentMatch, NameAndOptionalUID, UniqueIdentifier FROM SelectedAttributeTypes {joint-iso-itu-t ds(5) module(1) selectedAttributeTypes(5) 4} ub-tag FROM UpperBounds {joint-iso-itu-t ds(5) module(1) upperBounds(10) 4}; -- types ACIItem ::= SEQUENCE { identificationTag DirectoryString{ub-tag}, precedence Precedence, authenticationLevel AuthenticationLevel, itemOrUserFirst CHOICE {itemFirst [0] SEQUENCE {protectedItems ProtectedItems, itemPermissions SET OF ItemPermission}, userFirst [1] SEQUENCE {userClasses UserClasses, userPermissions SET OF UserPermission}} } Precedence ::= INTEGER(0..255) ProtectedItems ::= SEQUENCE { entry [0] NULL OPTIONAL, allUserAttributeTypes [1] NULL OPTIONAL, attributeType [2] SET SIZE (1..MAX) OF AttributeType OPTIONAL, allAttributeValues [3] SET SIZE (1..MAX) OF AttributeType OPTIONAL, allUserAttributeTypesAndValues [4] NULL OPTIONAL, attributeValue [5] SET SIZE (1..MAX) OF AttributeTypeAndValue OPTIONAL, selfValue [6] SET SIZE (1..MAX) OF AttributeType OPTIONAL, rangeOfValues [7] Filter OPTIONAL, maxValueCount [8] SET SIZE (1..MAX) OF MaxValueCount OPTIONAL, maxImmSub [9] INTEGER OPTIONAL, restrictedBy [10] SET SIZE (1..MAX) OF RestrictedValue OPTIONAL, contexts [11] SET SIZE (1..MAX) OF ContextAssertion OPTIONAL, classes [12] Refinement OPTIONAL } MaxValueCount ::= SEQUENCE {type AttributeType, maxCount INTEGER } RestrictedValue ::= SEQUENCE {type AttributeType, valuesIn AttributeType } UserClasses ::= SEQUENCE { allUsers [0] NULL OPTIONAL, thisEntry [1] NULL OPTIONAL, name [2] SET SIZE (1..MAX) OF NameAndOptionalUID OPTIONAL, userGroup [3] SET SIZE (1..MAX) OF NameAndOptionalUID OPTIONAL, -- dn component shall be the name of an -- entry of GroupOfUniqueNames subtree [4] SET SIZE (1..MAX) OF SubtreeSpecification OPTIONAL } ItemPermission ::= SEQUENCE { precedence Precedence OPTIONAL, -- defaults to precedence in ACIItem userClasses UserClasses, grantsAndDenials GrantsAndDenials } UserPermission ::= SEQUENCE { precedence Precedence OPTIONAL, -- defaults to precedence in ACIItem protectedItems ProtectedItems, grantsAndDenials GrantsAndDenials } AuthenticationLevel ::= CHOICE { basicLevels SEQUENCE {level ENUMERATED {none(0), simple(1), strong(2)}, localQualifier INTEGER OPTIONAL, signed BOOLEAN DEFAULT FALSE}, other EXTERNAL } GrantsAndDenials ::= BIT STRING { -- permissions that may be used in conjunction -- with any component of ProtectedItems grantAdd(0), denyAdd(1), grantDiscloseOnError(2), denyDiscloseOnError(3), grantRead(4), denyRead(5), grantRemove(6), denyRemove(7), -- permissions that may be used only in conjunction -- with the entry component grantBrowse(8), denyBrowse(9), grantExport(10), denyExport(11), grantImport(12), denyImport(13), grantModify(14), denyModify(15), grantRename(16), denyRename(17), grantReturnDN(18), denyReturnDN(19), -- permissions that may be used in conjunction -- with any component, except entry, of ProtectedItems grantCompare(20), denyCompare(21), grantFilterMatch(22), denyFilterMatch(23), grantInvoke(24), denyInvoke(25)} AttributeTypeAndValue ::= SEQUENCE { type ATTRIBUTE.&id({SupportedAttributes}), value ATTRIBUTE.&Type({SupportedAttributes}{@type}) } -- attributes accessControlScheme ATTRIBUTE ::= { WITH SYNTAX OBJECT IDENTIFIER EQUALITY MATCHING RULE objectIdentifierMatch SINGLE VALUE TRUE USAGE directoryOperation ID id-aca-accessControlScheme } prescriptiveACI ATTRIBUTE ::= { WITH SYNTAX ACIItem EQUALITY MATCHING RULE directoryStringFirstComponentMatch USAGE directoryOperation ID id-aca-prescriptiveACI } entryACI ATTRIBUTE ::= { WITH SYNTAX ACIItem EQUALITY MATCHING RULE directoryStringFirstComponentMatch USAGE directoryOperation ID id-aca-entryACI } subentryACI ATTRIBUTE ::= { WITH SYNTAX ACIItem EQUALITY MATCHING RULE directoryStringFirstComponentMatch USAGE directoryOperation ID id-aca-subentryACI } -- object identifier assignments -- attributes id-aca-accessControlScheme OBJECT IDENTIFIER ::= {id-aca 1} id-aca-prescriptiveACI OBJECT IDENTIFIER ::= {id-aca 4} id-aca-entryACI OBJECT IDENTIFIER ::= {id-aca 5} id-aca-subentryACI OBJECT IDENTIFIER ::= {id-aca 6} -- access control schemes - basicAccessControlScheme OBJECT IDENTIFIER ::= {id-acScheme 1} simplifiedAccessControlScheme OBJECT IDENTIFIER ::= {id-acScheme 2} rule-based-access-control OBJECT IDENTIFIER ::= {id-acScheme 3} rule-and-basic-access-control OBJECT IDENTIFIER ::= {id-acScheme 4} rule-and-simple-access-control OBJECT IDENTIFIER ::= {id-acScheme 5} END -- BasicAccessControl -- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D