version: 1

#
# Heirloom Resource Access Control (RAC)
# example LDAP entries utilizing 
# existing RFC standards for LDAP schemas
# for use with authorization and authentication
# of Heirloom Elastic Batch Platform (EBP) and
# Heirloom Elastic Transaction Platform (ETP) resources
# within Heirloom Platform-as-a-Service (H-PaaS)
#

# Heirloom RAC sample organization example.com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
objectClass: top
dc: example
o: engineering
description: organization name example.com

# Manager for example.com
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
objectClass: top
cn: Manager
description: Manager for example.com

# Define user, group and resource structure

# Heirloom RAC users are defined in the "people" organizational unit
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
objectClass: dcObject
objectClass: top
dc: example
ou: people
description: users defined for the organization

# Heirloom RAC groups or roles are defined in the "groups" organizational unit
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups
description: groups of users defined for the organization

# Heirloom RAC for EBP Job Classes are defined in the "jobclasses" organizational unit
# (by default all users are allow:all submit status)
dn: ou=jobclasses,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: jobclasses
businessCategory: allow:all
description: EBP job class submit restrictions

# Heirloom RAC EBP Output Classes are defined in the "outputclasses" organizational unit
# (by default all users are allow:all to all output classes)
dn: ou=outputclasses,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: outputclasses
businessCategory: allow:all
description: EBP output class write restrictions

# Heirloom RAC ETP programs are defined in the "programs" organizational unit
# (by default all users are allow:all to execute any program)
dn: ou=programs,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: programs
businessCategory: allow:all
description: ETP program exectuion restrictions

# Heirloom RAC ETP transactions are defined in the "transactions" organizational unit
# (by default all users are allow:all to invoke any transaction)
dn: ou=transactions,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: transactions
businessCategory: allow:all
description: ETP transaction invocation restrictions

# Heirloom RAC EBP/ETP datasets are defined in the "datasets" organizational unit
# (by default all users are allow:all to access any dataset)
dn: ou=datasets,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: datasets
businessCategory: allow:all
description: EBP/ETP dataset access restrictions

# Heirloom RAC ETP Resource Groups are defined in the "resourcegroups" organizational unit
dn: ou=resourcegroups,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: resourcegroups
description: ETP groups of resources

# End of defining user, group and resource structure
# Define specific users, groups and resource access restrictions

# Add user jjones
dn: uid=jjones,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: janet jones
sn: jones
mail: j.jones@example.com
uid: jjones
userPassword: abc000

# Add user fbloggs (CICS operator id 997)
dn: uid=fbloggs,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: fred bloggs
sn: bloggs
mail: f.bloggs@example.com
uid: fbloggs
o: 997
userPassword: abc000

# Add user jblow
dn: uid=jblow,ou=people,dc=example,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: Joe Blow
sn: joe
initials: jb
uid: jblow
userPassword: abc000

# Add group EBP-admin with users that can issue EBP administrator web services
dn: cn=EBP-admin,ou=groups,dc=example,dc=com
objectClass: groupOfUniqueNames
objectClass: top
cn: EBP-admin
uniqueMember: uid=fbloggs,ou=people,dc=example,dc=com

# Add group EBP-user with users that can issue EBP standard web services
dn: cn=EBP-user,ou=groups,dc=example,dc=com
objectClass: groupOfUniqueNames
objectClass: top
cn: EBP-user
uniqueMember: uid=fbloggs,ou=people,dc=example,dc=com
uniqueMember: uid=jjones,ou=people,dc=example,dc=com

# Add group USERS with all users of ETP
dn: cn=USERS,ou=groups,dc=example,dc=com
objectClass: groupOfUniqueNames
objectClass: top
cn: USERS
uniqueMember: uid=fbloggs,ou=people,dc=example,dc=com
uniqueMember: uid=jjones,ou=people,dc=example,dc=com
uniqueMember: uid=jblow,ou=people,dc=example,dc=com
description: All users are members of the USERS group

# Add group SYSDEV with some users with special permissions of EBP/ETP resources
dn: cn=SYSDEV,ou=groups,dc=example,dc=com
objectClass: groupOfUniqueNames
objectClass: top
cn: SYSDEV
uniqueMember: uid=jjones,ou=people,dc=example,dc=com
uniqueMember: uid=fbloggs,ou=people,dc=example,dc=com
description: A group of only system developers

# Specific group restrictions to execute ETP programs
dn: cn=*,ou=programs,dc=example,dc=com
objectClass: groupOfUniqueNames
objectClass: top
cn: *
uniqueMember: cn=USERS,ou=groups,dc=example,dc=com,businessCategory=allow:ex
 ecute
businessCategory: allow:execute
description: Default transactions executable by anyone, even non-authenticat
 ed users

# Specific group restrictions to write to EBP output classes
dn: cn=*,ou=outputclasses,dc=example,dc=com
objectClass: groupOfUniqueNames
objectClass: top
cn: *
uniqueMember: cn=USERS,ou=groups,dc=example,dc=com,businessCategory=allow:al
 l
businessCategory: allow:all
description: By default all user jobs may send SYSOUTs to any output class
  unless otherwise specified for a particular class

# Specific dataset restrictions for one dataset by different groups
dn: cn=HCI00.DEVCODE.PURCHASE.LIST,ou=datasets,dc=example,dc=com
objectClass: groupOfUniqueNames
objectClass: top
cn: HCI00.DEVCODE.PURCHASE.LIST
uniqueMember: cn=SYSDEV,ou=groups,dc=example,dc=com,businessCategory=allow:a
 ll
uniqueMember: cn=USERS,ou=groups,dc=example,dc=com,businessCategory=allow:re
 ad
businessCategory: allow:all
description: This listing dataset is avalable to everyone

# Specific restrictions on Q output class for the SYSDEV group
dn: cn=Q,ou=outputclasses,dc=example,dc=com
objectClass: groupOfUniqueNames
objectClass: top
cn: Q
uniqueMember: cn=SYSDEV,ou=groups,dc=example,dc=com,businessCategory=allow:u
 pdate/allow:view/allow:purge
businessCategory: deny:all
description: Only members of SYSDEV can view and purge SYSOUTs sent to outpu
 t class Q

# Default deny access to all datasets, must be in USERS to access them
dn: cn=*,ou=datasets,dc=example,dc=com
objectClass: groupOfUniqueNames
objectClass: top
cn: *
uniqueMember: cn=USERS,ou=groups,dc=example,dc=com,businessCategory=deny:all
businessCategory: deny:all
description: By default, no usage of datasets are permitted by anyone unless
  otherwise specified

# Specific restrictions on datasets beginning with HCI00.DEVCODE
dn: cn=HCI00.DEVCODE.*,ou=datasets,dc=example,dc=com
objectClass: groupOfUniqueNames
objectClass: top
cn: HCI00.DEVCODE.*
uniqueMember: cn=SYSDEV,ou=groups,dc=example,dc=com,businessCategory=allow:a
 lter
businessCategory: deny:all
description: All DEVCODE is available only to SYSDEV people unless specific 
 datasets are otherwise marked

# Default permissions for all job classes
dn: cn=*,ou=jobclasses,dc=example,dc=com
objectClass: groupOfUniqueNames
objectClass: top
cn: *
uniqueMember: cn=USERS,ou=groups,dc=example,dc=com,businessCategory=allow:al
 l
businessCategory: allow:all
description: By default all users may submit jobs to any class unless otherw
 ise specified for a particular class

# Remove permissions to job class Q for most
dn: cn=Q,ou=jobclasses,dc=example,dc=com
objectClass: groupOfUniqueNames
objectClass: top
cn: Q
uniqueMember: cn=SYSDEV,ou=groups,dc=example,dc=com,businessCategory=allow:s
 ubmit/allow:cancel
businessCategory: deny:all
description: Only SYSDEV personnel are allowed to submit and cancel to class
  Q; no one can checkpoint or restart

# Only authenticated USERS may access HCI00* datasets
dn: cn=HCI00.*,ou=datasets,dc=example,dc=com
objectClass: groupOfUniqueNames
objectClass: top
cn: HCI00.*
uniqueMember: cn=USERS,ou=groups,dc=example,dc=com,businessCategory=allow:al
 l
businessCategory: deny:all
description: High Level Qualifier for most HCI datasets are fully accessible
  to all authenticated USERS

# Define an "readonly" M:N relationship between resources and groups
dn: cn=readonly,ou=resourcegroups,dc=example,dc=com
objectClass: groupOfUniqueNames
objectClass: top
cn: readonly
uniqueMember: cn=init,ou=transactions,dc=example,dc=com
uniqueMember: cn=emnu,ou=transactions,dc=example,dc=com
uniqueMember: cn=eson,ou=transactions,dc=example,dc=com
uniqueMember: cn=esof,ou=transactions,dc=example,dc=com
uniqueMember: cn=epic,ou=transactions,dc=example,dc=com
uniqueMember: cn=HCI00.READONLY.DAT,ou=datasets,dc=example,dc=com
uniqueMember: cn=USERS,ou=groups,dc=example,dc=com,businessCategory=allow:ex
 ecute
uniqueMember: cn=SYSDEV,ou=groups,dc=example,dc=com,businessCategory=allow:e
 xecute
businessCategory: deny:all
description: M:N relationship between resources and groups that can execute 
 read-only transactions

# Define an "update" M:N relationship between resources and groups
dn: cn=update,ou=resourcegroups,dc=example,dc=com
objectClass: groupOfUniqueNames
objectClass: top
cn: update
uniqueMember: cn=etrn,ou=transactions,dc=example,dc=com
uniqueMember: cn=ecnt,ou=transactions,dc=example,dc=com
uniqueMember: cn=ejnl,ou=transactions,dc=example,dc=com
uniqueMember: cn=HCI00.READWRIT.DAT,ou=datasets,dc=example,dc=com
uniqueMember: cn=SYSDEV,ou=groups,dc=example,dc=com,businessCategory=allow:e
 xecute
businessCategory: deny:all
description: M:N relationship between resources and groups that can execute 
 update transactions

# Default permissions for invoking transactions
dn: cn=*,ou=transactions,dc=example,dc=com
objectClass: groupOfUniqueNames
objectClass: top
cn: *
uniqueMember: cn=USERS,ou=groups,dc=example,dc=com,businessCategory=allow:ex
 ecute
businessCategory: allow:execute
description: Default transactions executable by anyone, even non-authenticat
 ed users

# Specific permissions for invoking the ETRN transaction
dn: cn=ETRN,ou=transactions,dc=example,dc=com
objectClass: groupOfUniqueNames
objectClass: top
cn: ETRN
uniqueMember: cn=SYSDEV,ou=groups,dc=example,dc=com,businessCategory=allow:e
 xecute
businessCategory: deny:all
description: The ETRN transaction, only SYSDEV members may execute it

# Specific permissions for executing the ETPETRN program
dn: cn=ETPETRN,ou=programs,dc=example,dc=com
objectClass: groupOfUniqueNames
objectClass: top
cn: ETPETRN
uniqueMember: cn=SYSDEV,ou=groups,dc=example,dc=com,businessCategory=allow:e
 xecute
businessCategory: deny:all
description: The ETPETRN program, only SYSDEV members may execute it