T 3.88 Errors in the assignment of access rights

Due to the close relationship between the directory service and the underlying operating system and the fact that directory services contain a series of critical data on the users of the system and on the resources, the correct assignment of data access rights to the directory service is particularly critical to security.

The access control lists themselves are attributes (properties) for the corresponding objects. Access rights to the objects themselves are available, as well as rights to access individual attributes of an object. The access rights to objects are inherited by default from parent objects to their child objects in the tree hierarchy. Unsuitable partitioning of the directory in this case can break this inheritance mechanism.

There is also a risk of assigning the access rights inconsistently or assigning the wrong access rights due to the variety of configuration options. If the access rights were assigned incorrectly in the directory service, then the security of the overall system will be significantly threatened as a result. This could have an impact on the confidentiality and the integrity of data and open possible back doors for wide-ranging attacks on the system, for example.

Another particularly critical point is the assignment of the administration rights, for example the implementation of a role-based administration concept or the delegation of individual administration tasks by assigning the corresponding access rights. If these rights are assigned incorrectly, then the entire administration concept could be in question, and under certain circumstances, the directory system administration may even become blocked.