X500Standard.com
The website of the X.500 Directory standard
X.500 Standard status
(Implementors' Guide)
- Introduction
- Standardization Procedures
- X.500 Document Structure
- X.500 docs not freely available
- X.500 docs freely available
- Current ASN.1 modules
- X.500 extension (excl. X.509)
- F.5xx - Tag-based service
- Submit a Defect Report
- Defect Reports
- Draft Tech Corrigenda
- Upcoming Meetings
- Meeting Reports
- A little history
X.509 Related activities
- X.509 extensions
- General on PKI usages
- Key Management
- Wireless PKI (WPKI)
- M2M and PKI
- Cloud Computing and PKI
- Smart Grid and PKI
How to be involved
More Information
Tutorial section 1
X.500 General
- The X.500 Directory
- Relationship with LDAP
- Information structure & names
- X.500 protocols
- X.500 operations
- Navigation
- Directory Schema
- Access Control
- Replication (Shadowing)
- Families of Entries
- Hierarchical Groups
- Mapping Based Searches
- X.500 Service Concept
- X.500 Service Administration
- Data Privacy Protection
- ISSS Schema
Tutorial section 2
X.509 specific
- X.509 Introduction
- Public-key Certificates
- Public-Key Infrastructure (PKI)
- X.509 Extentions
- Protecting a directory
X.509 at work
Search
Access Control
Access control is about who may do what based on the level of authentication. This section is related to protection of information stored in a directory, but concepts described here could applied in other areas.
A piece of directory information requiring some kind of individual protection against unauthorized access is also called a protected item. A protected item can be all the information stored about an entity, or it can be a particular piece of such information, for example a secret telephone number.
The access control can be related to different types of operations. As an example, a user may be allowed to be read information, but not to modify it. At the extreme, an accessing user may not even know the existence of a certain piece of information.
The two views of access control
Figure 1 - Two views of access control
When it comes to access control it a question about:
- information stored in a directory to be protected; and
- users wanting to access that information.
Access control can therefore be viewed in two ways:
- For each piece of information (protected item) it can be defined who is allowed access that information and what operations are allowed for each user (referred to as item first).
- For each user it can be defined what information that user my access and he type of operation allowed.(referred to as user first).
Types of protected items
For each directory entry a directory operation is accessing, a protected item may be of different level:
- the complete entry;
- all user attribute types within the entry, but not their values;
- all user attribute types and values within the entry;
- specific attribute types, but not their values;
- specific attribute types with all their values;
- specific attribute values within specific attribute types;
- self value (the name of the requestor); and
- a few more sophisticated cases
Identification of users
User may be listed individually or in groups as indicated:
- owner of entry
- specific user
- user group
- all users
- subtree
Item first definitions
Figure 2 - Item first
User first definitions
Figure 3 - User first