Skip Headers

Oracle9iAS Unified Messaging Administrator's Guide
Release 9.0.2

Part Number A95454-01
Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Go to previous page Go to next page

B
Oracle9iAS Unified Messaging Access Control Lists

This section provides an overview of access control list policies set for the mail, telephony, and wireless server components of Oracle9iAS Unified Messaging in Oracle Internet Directory. These directory access control lists are set in Oracle Internet Directory during the infrastructure installation phase.

This appendix contains the following topics:

Mail Server Access Control Lists

See Also:

Oracle Internet Directory Administrator's Guide for more information on access control lists

The Oracle9iAS Unified Messaging LDAP schema and entries are installed during the installation of Oracle Internet Directory. In Oracle Internet Directory, the cn=Products container under OracleContext, contains all product specific information. The mail server container underneath this product container contains all the Oracle Internet Directory entries related to the e-mail server component of Oracle9iAS Unified Messaging.

The %s_OracleContextDN% parameter described in the following access control lists can be the root or subscriber OracleContext.

During installation, the following privilege group is created:

cn=EmailAdminsGroup,cn=EMailServerContainer,cn=Products,%s_OracleContextDN%

The members of this group are the e-mail server component administrators. Various access control lists on cn=EMailServerContainer,cn=Products,%s_OracleContextDN% entry are as follows:

This example specifies the access control list that must be set in order for the public distribution lists to be searchable through standard clients. In an e-mail domain, the distribution lists are stored under the list container. For example, if the domain is oracle.com, the list container cn=List,dc=oracle,dc=com,cn=um_system,cn=EMailServerContainer,cn=Products,cn=OracleContext needs to have access control list "access to entry by * (browse)".

OID Group Membership for EmailAdminsGroup

The cn=EmailAdminsGroup,cn=EMailServerContainer,cn=Products,
%s_OracleContextDN%
also is added to the following groups in order to have permissions for e-mail related directory operations.

Group Permissions

cn=ComputerAdmins, cn=Groups,%s_OracleContextDN%

The addition of EmailAdminsGroup to this group enables the e-mail administrators to create process entries under cn=Computers.

cn=UserProxyPrivilege, cn=Groups,%s_OracleContextDN%

The addition of EmailAdminsGroup to this group enables the e-mail administrators to proxy as the end users.

cn=AuthenticationServices,cn=Groups,%s_OracleContextDN%

The addition of EmailAdminsGroup to this group enables the e-mail servers to compare the user's password at the time of authentication.

cn=verifierServices,cn=Groups,%s_OracleContextDN%

The addition of EmailAdminsGroup to this group enables the e-mail servers to compare the orclpasswordverifier;email attribute. This is required for the voice mail authentication.

Oracle9iAS Unified Messaging Privilege Groups

The following privilege groups are created for Oracle9iAS Unified Messaging e-mail server component administration:

Group
cn=MailstoreAdminsGroup,cn=MailStores,cn=um_system,cn=EMailServerContainer,
cn=Products,cn=OracleContext
Permissions

This group has read, search, compare, selfwrite, write access to the attribute orclPasswordAttribute of the mail store entry, everybody else is denied access to this attribute.

Members
cn=EmailAdminsGroup,cn=EMailServerContainer,cn=Products,cn=OracleContext 
cn=DomainAdminsGroup,<Domain RDNs>,cn=um_system,cn=EMailServerContainer,
cn=Products,cn=OracleContext - if exists
Group
cn=DomainAdminsGroup,<Domain RDNs>,cn=um_system,cn=EMailServerContainer,
cn=Products,cn=OracleContext

where, <Domain RDNs> for the domain oracle.com is the string dc=oracle,dc=com


Note:

This group is present in a system where domain administrators have been created from the Thin Client administration pages.


Permissions

This group has add, delete, browse, read, search, compare, and write permissions on the particular domain.

Members
Domain administrator user's DN 
cn=EmailAdminsGroup,cn=EMailServerContainer,cn=Products,cn=OracleContext

Telephony Process Access Control Lists

See Also:

Oracle Internet Directory Administrator's Guide for more information access control lists

The Oracle9iAS Unified Messaging LDAP schema and entries are installed during the installation of Oracle Internet Directory.

The UMContainer created under the products container stores Oracle9iAS Unified Messaging user and installation specific information.

The UMContainer and EmailserverContainer directory information trees because Oracle9iAS Unified Messaging user information is spread over both directory information trees. To achieve grant access for both directory information trees, a privilege group (AdminsGroup) is created both under the EmailServerContainer and UMContainer, with appropriate access control lists applied.

The UMAdminsGroup is a privilege group created to access the UMContainer directory information tree. Members of this group include the creator, UMContainer, and EMailAdminsGroup.

The EmailAdminsGroup must be created before the UMAdminsGroup. After the UMAdminsGroup is created, it becomes a member of the EmailAdminsGroup, enabling the Oracle9iAS Unified Messaging applications to access both containers.

The following access control lists are applied to the UMContainer to give applications access to the UMContainer and EMailContainer.

Oracle Internet Directory Group Membership for UMAdminsGroup

The following table documents the group and permissions for the UMAdminsGroup:

Group Permissions
cn=ComputerAdmins
cn=Groups,%s_OracleContextDN% 

The addition of UMAdminsGroup to this group enables the Oracle9iAS Unified Messaging applications to create and access process entries under cn=Computers.

cn=UserProxyPrivilege
cn=Groups,%s_OracleContextDN% 

The addition of UMAdminsGroup to this group enables the Oracle9iAS Unified Messaging applications to proxy as the end user.

The addition of the UMAdminsGroup to the following group enables the Oracle9iAS Unified Messaging applications to create and access process entries under cn=Computers:

cn=ComputerAdmins, cn=Groups,%s_OracleContextDN%

The addition of UMAdminsGroup to the following group enables the Oracle9iAS Unified Messaging applications to do a proxy as the end users:

cn=UserProxyPrivilege, cn=Groups,%s_OracleContextDN% 

Go to previous page Go to next page
Oracle
Copyright © 2002 Oracle Corporation.

All Rights Reserved.
Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index