The ASN.1 syntax for ACIItem of X.501 as given in the specificiation is as follows
ACIItem ::= SEQUENCE {
identificationTag DirectoryString { ub-tag },
precedence Precedence,
authenticationLevel AuthenticationLevel,
itemOrUserFirst CHOICE {
itemFirst [0] SEQUENCE {
protectedItems ProtectedItems,
itemPermissions SET OF ItemPermission },
userFirst [1] SEQUENCE {
userClasses UserClasses,
userPermissions SET OF UserPermission } } }
Precedence ::= INTEGER (0..255)
ProtectedItems ::= SEQUENCE {
entry [0] NULL OPTIONAL,
allUserAttributeTypes [1] NULL OPTIONAL,
attributeType [2] SET SIZE (1..MAX) OF AttributeType OPTIONAL,
allAttributeValues [3] SET SIZE (1..MAX) OF AttributeType OPTIONAL,
allUserAttributeTypesAndValues [4] NULL OPTIONAL,
attributeValue [5] SET SIZE (1..MAX) OF AttributeTypeAndValue OPTIONAL,
selfValue [6] SET SIZE (1..MAX) OF AttributeType OPTIONAL,
rangeOfValues [7] Filter OPTIONAL,
maxValueCount [8] SET SIZE (1..MAX) OF MaxValueCount OPTIONAL,
maxImmSub [9] INTEGER OPTIONAL,
restrictedBy [10] SET SIZE (1..MAX) OF RestrictedValue OPTIONAL,
contexts [11] SET SIZE (1..MAX) OF ContextAssertion OPTIONAL,
classes [12] Refinement OPTIONAL }
MaxValueCount ::= SEQUENCE {
type AttributeType,
maxCount INTEGER }
RestrictedValue ::= SEQUENCE {
type AttributeType,
valuesIn AttributeType }
UserClasses ::= SEQUENCE {
allUsers [0] NULL OPTIONAL,
thisEntry [1] NULL OPTIONAL,
name [2] SET SIZE (1..MAX) OF NameAndOptionalUID OPTIONAL,
userGroup [3] SET SIZE (1..MAX) OF NameAndOptionalUID OPTIONAL,
-- dn component shall be the name of an
-- entry of GroupOfUniqueNames
subtree [4] SET SIZE (1..MAX) OF SubtreeSpecification OPTIONAL }
ItemPermission ::= SEQUENCE {
precedence Precedence OPTIONAL,
-- defaults to precedence in ACIItem
userClasses UserClasses,
grantsAndDenials GrantsAndDenials }
UserPermission ::= SEQUENCE {
precedence Precedence OPTIONAL,
-- defaults to precedence in ACIItem
protectedItems ProtectedItems,
grantsAndDenials GrantsAndDenials }
AuthenticationLevel ::= CHOICE {
basicLevels SEQUENCE {
level ENUMERATED { none (0), simple (1), strong (2) },
localQualifier INTEGER OPTIONAL,
signed BOOLEAN DEFAULT FALSE },
other EXTERNAL }
GrantsAndDenials ::= BIT STRING {
-- permissions that may be used in conjunction
-- with any component of ProtectedItems
grantAdd (0),
denyAdd (1),
grantDiscloseOnError (2),
denyDiscloseOnError (3),
grantRead (4),
denyRead (5),
grantRemove (6),
denyRemove (7),
-- permissions that may be used only in conjunction
-- with the entry component
grantBrowse (8),
denyBrowse (9),
grantExport (10),
denyExport (11),
grantImport (12),
denyImport (13),
grantModify (14),
denyModify (15),
grantRename (16),
denyRename (17),
grantReturnDN (18),
denyReturnDN (19),
-- permissions that may be used in conjunction
-- with any component, except entry, of ProtectedItems
grantCompare (20),
denyCompare (21),
grantFilterMatch (22),
denyFilterMatch (23),
grantInvoke (24),
denyInvoke (25) }
AttributeTypeAndValue ::= SEQUENCE {
type ATTRIBUTE.&id ({SupportedAttributes}),
value ATTRIBUTE.&Type({SupportedAttributes}{@type}) }
Here is the BNF grammar of this ASN.1 grammar :
<wrapperEntryPoint> ::= <theACIItem> EOF
<theACIItem> ::=
'{'
<spse> <aci_identificationTag> <spse>
',' <spse> <aci_precedence> <spse>
',' <spse> <aci_authenticationLevel> <spse>
',' <spse> <aci_itemOrUserFirst> <spse>
'}'
<aci_identificationTag> ::= "identificationTag" <sps> SAFEUTF8STRING
<aci_precedence> ::= "precedence" <sps> INTEGER
<aci_authenticationLevel> ::= "authenticationLevel" <sps> <basicLevels>
<basicLevels> ::= "basicLevels" <spse> ':' <spse> '{' <spse> <level> <spse> <level_follower> '}'
<level> ::= "level" <sps> <levels>
<levels> ::= "none" | "simple" | "strong"
<level_follower> ::= ',' <spse> <localQualifier_signed> | e
<localQualifier_signed> ::=
"localQualifier" <sps> INTEGER <spse> <signed_e>
| "signed" <sps> <booleanValue> <spse>
<signed_e> ::= ',' <spse> "signed" <sps> <booleanValue> <spse> | e
<booleanValue> ::= "FALSE" | "TRUE"
<aci_itemOrUserFirst> ::= "itemOrUserFirst" <sps> <itemOrUserFirst>
<itemOrUserFirst> ::= <itemFirst> | <userFirst>
<itemFirst> ::= "itemFirst" ':' '{' <spse> <protectedItems> ',' <spse> <itemPermissions> <spse> '}'
<userFirst> ::= "userFirst" ':' '{' <spse> <userClasses> ',' <spse> <userPermissions> <spse> '}'
<protectedItems> ::= "protectedItems" <spse> '{' <spse> <protectedItems_e> <spse> '}'
<protectedItems_e> ::= "entry" <entry_follower_e>
| "allUserAttributeTypes" <allUserAttributeTypes_follower_e>
| <attributeType> <attributeType_follower_e>
| <allAttributeValues> <allAttributeValues_follower_e>
| <allUserAttributeTypesAndValues> <allUserAttributeTypesAndValues_follower_>
| ATTRIBUTE_VALUE_CANDIDATE <attributeValue_follower_e>
| <selfValue> <selfValue_follower_e>
| RANGE_OF_VALUES_CANDIDATE <rangeOfValues_follower_e>
| <maxValueCount> <maxValueCount_follower_e>
| <maxImmSub> <maxImmSub_follower_e>
| <restrictedBy> <restrictedBy_follower_e>
| <classes>
| e
<entry_follower_e> ::= ',' <spse> <entry_follower> | e
<entry_follower> ::=
"allUserAttributeTypes" <allUserAttributeTypes_follower_e>
| <attributeType> <attributeType_follower_e>
| <allAttributeValues> <allAttributeValues_follower_e>
| <allUserAttributeTypesAndValues> <allUserAttributeTypesAndValues_follower_e>
| ATTRIBUTE_VALUE_CANDIDATE <attributeValue_follower_e>
| <selfValue> <selfValue_follower_e>
| RANGE_OF_VALUES_CANDIDATE <rangeOfValues_follower_e>
| <maxValueCount> <maxValueCount_follower_e>
| <maxImmSub> <maxImmSub_follower_e>
| <restrictedBy> <restrictedBy_follower_e>
| <classes>
<allUserAttributeTypes_follower_e> ::= ',' <spse> <allUserAttributeTypes_follower> | e
<allUserAttributeTypes_follower> ::=
<attributeType> <attributeType_follower_e>
| <allAttributeValues> <allAttributeValues_follower_e>
| <allUserAttributeTypesAndValues> <allUserAttributeTypesAndValues_follower_e>
| ATTRIBUTE_VALUE_CANDIDATE <attributeValue_follower_e>
| <selfValue> <selfValue_follower_e>
| RANGE_OF_VALUES_CANDIDATE <rangeOfValues_follower_e>
| <maxValueCount> <maxValueCount_follower_e>
| <maxImmSub> <maxImmSub_follower_e>
| <restrictedBy> <restrictedBy_follower_e>
| <classes>
<attributeType_follower_e> ::= ',' <spse> <attributeType_follower> | e
<attributeType_follower> ::=
<allAttributeValues> <allAttributeValues_follower_e>
| <allUserAttributeTypesAndValues> <allUserAttributeTypesAndValues_follower_e>
| ATTRIBUTE_VALUE_CANDIDATE <attributeValue_follower_e>
| <selfValue> <selfValue_follower_e>
| RANGE_OF_VALUES_CANDIDATE <rangeOfValues_follower_e>
| <maxValueCount> <maxValueCount_follower_e>
| <maxImmSub> <maxImmSub_follower_e>
| <restrictedBy< <restrictedBy_follower_e>
| <classes>
<allAttributeValues_follower_e> ::= ',' <spse> <allAttributeValues_follower> | e
<allAttributeValues_follower> ::=
<allUserAttributeTypesAndValues> <allUserAttributeTypesAndValues_follower_e>
| ATTRIBUTE_VALUE_CANDIDATE <attributeValue_follower_e>
| <selfValue> <selfValue_follower_e>
| RANGE_OF_VALUES_CANDIDATE <rangeOfValues_follower_e>
| <maxValueCount> <maxValueCount_follower_e>
| <maxImmSub> <maxImmSub_follower_e>
| <restrictedBy> <restrictedBy_follower_e>
| <classes>
<allUserAttributeTypesAndValues_follower_e> ::= ',' <spse> <allUserAttributeTypesAndValues_follower> | e
<allUserAttributeTypesAndValues_follower> ::=
ATTRIBUTE_VALUE_CANDIDATE <attributeValue_follower_e>
| <selfValue> <selfValue_follower_e>
| RANGE_OF_VALUES_CANDIDATE <rangeOfValues_follower_e>
| <maxValueCount> <maxValueCount_follower_e>
| <maxImmSub> <maxImmSub_follower_e>
| <restrictedBy> <restrictedBy_follower_e>
| <classes>
<attributeValue_follower_e> ::= ',' <spse> <attributeValue_follower> | e
<attributeValue_follower> ::=
<selfValue> <selfValue_follower_e>
| RANGE_OF_VALUES_CANDIDATE <rangeOfValues_follower_e>
| <maxValueCount> <maxValueCount_follower_e>
| <maxImmSub> <maxImmSub_follower_e>
| <restrictedBy> <restrictedBy_follower_e>
| <classes>
<selfValue_follower> ::= ',' <spse> <selfValue_follower> | e
<selfValue_follower> ::=
RANGE_OF_VALUES_CANDIDATE <rangeOfValues_follower_e>
| <maxValueCount> <maxValueCount_follower_e>
| <maxImmSub> <maxImmSub_follower_e>
| <restrictedBy> <restrictedBy_follower_e>
| <classes>
<rangeOfValues_follower> ::= ',' <spse> <rangeOfValues_follower> | e
<rangeOfValues_follower> ::=
<maxValueCount> <maxValueCount_follower_e>
| <maxImmSub> <maxImmSub_follower_e>
| <restrictedBy> <restrictedBy_follower_e>
| <classes>
<maxValueCount_follower> ::= ',' <spse> <maxValueCount_follower> | e
<maxValueCount_follower> ::=
<maxImmSub> <maxImmSub_follower_e>
| <restrictedBy> <restrictedBy_follower_e>
| <classes>
<maxImmSub_follower> ::= ',' <spse> <maxImmSub_follower> | e
<maxImmSub_follower> ::=
<restrictedBy> <restrictedBy_follower>
| <classes>
<restrictedBy_follower> ::= ',' <spse> <classes> | e
<attributeType> ::= "attributeType" <sps> <attributeTypeSet>
<allAttributeValues> ::= "allAttributeValues" <sps> <attributeTypeSet>
<allUserAttributeTypesAndValues> ::= "allUserAttributeTypesAndValues"
<selfValue> ::= "selfValue" <sps> <attributeTypeSet>
<maxValueCount> ::= "maxValueCount" <sps> '{' <spse> <aMaxValueCount> <spse> <aMaxValueCounts> '}'
<aMaxValueCounts> ::= ',' <spse> <aMaxValueCount> <spse> <aMaxValueCounts> | e
<aMaxValueCount> ::= '{' <spse> "type" <sps> <oid> <spse> ',' <spse> "maxCount" <sps> INTEGER <spse> '}'
<maxImmSub> ::= "maxImmSub" <sps> INTEGER
<restrictedBy> ::= "restrictedBy" <sps> '{' <spse> <restrictedValue> <spse> <restrictedValues> '}'
<restrictedValues> ::= ',' <spse> <restrictedValue> <spse> <restrictedValues> | e
<restrictedValue> ::= '{' <spse> "type" <sps> <oid> <spse> ',' <spse> "valuesIn" <sps> <oid> <spse> '}'
<attributeTypeSet> ::= '{' <spse> <oid> <spse> <attributeTypeSets> '}'
<attributeTypeSets> ::= ',' <spse> <oid> <spse> <attributeTypeSet> | e
<classes> ::= "classes" <sps> <refinement>
<itemPermissions> ::= "itemPermissions" <sps> '{' <spse> <itemPermission_e> '}'
<itemPermission_e> ::= <itemPermission> <spse> <itemPermissions_e> | e
<itemPermissions_e> ::= ',' <spse> <itemPermission> <spse> <itemPermissions_e> | e
<itemPermission> ::= '{' <spse> <precedence_e> <spse> '}'
<precedence_e> ::=
"precedence" <sps> INTEGER <spse> ',' <spse> <userClasses> <spse> ',' <spse> <grantsAndDenials>
| <userClasses> <spse> ',' <spse> <grantsAndDenials>
<grantsAndDenials> ::= "grantsAndDenials" <sps> '{' <spse> <grantAndDenialsBit_e> '}'
<grantAndDenialsBit_e> ::= <grantAndDenialsBit> <spse> <grantAndDenialsBits_e> | e
<grantAndDenialsBits_e> ::= ',' <spse> <grantAndDenialsBit> <spse> <grantAndDenialsBits_e> | e
<grantAndDenialsBit> ::=
"grantAdd" // (0),
| "denyAdd" // (1),
| "grantDiscloseOnError" // (2),
| "denyDiscloseOnError" // (3),
| "grantRead" // (4),
| "denyRead" // (5),
| "grantRemove" // (6),
| "denyRemove" // (7),
| "grantBrowse" // (8),
| "denyBrowse" // (9),
| "grantExport" // (10),
| "denyExport" // (11),
| "grantImport" // (12),
| "denyImport" // (13),
| "grantModify" // (14),
| "denyModify" // (15),
| "grantRename" // (16),
| "denyRename" // (17),
| "grantReturnDN" // (18),
| "denyReturnDN" // (19),
| "grantCompare" // (20),
| "denyCompare" // (21),
| "grantFilterMatch" // (22),
| "denyFilterMatch" // (23),
| "grantInvoke" // (24),
| "denyInvoke" // (25)
<userClasses> ::= "userClasses" <sps> '{' <spse> <userClasses_e> '}'
<userClasses_e> ::=
"allUsers" <allUsers_follower_e> <spse>
| "thisEntry" <thisEntry_follower_e> <spse>
| <name> <name_follower_e> <spse>
| <userGroup> <userGroup_follower_e> <spse>
| <subtree> <spse>
| e
<allUsers_follower_e> ::= ',' <spse> <allUsers_follower> | e
<allUsers_follower> ::=
"thisEntry" <thisEntry_follower_e>
| <name> <name_follower_e>
| <userGroup> <userGroup_follower_e>
| <subtree>
<thisEntry_follower_e> ::= ',' <spse> <thisEntry_follower> | e
<thisEntry_follower> ::=
<name> <name_follower_e>
| <userGroup> <userGroup_follower_e>
| <subtree
<name_follower> ::= ',' <spse> <name_follower> | e
<name_follower> ::=
<userGroup> <userGroup_follower_e>
| <subtree>
<userGroup_follower_e> ::= ',' <spse> <subtree> | e
<name> ::= "name" <sps> '{' <spse> SAFEUTF8STRING <spse> <names_e> '}'
<names_e> ::= ',' <spse> SAFEUTF8STRING <spse> <names_e> | e
<userGroup> ::= "userGroup" <sps> '{' <spse> SAFEUTF8STRING <spse> <userGroups_e> '}'
<userGroups_e> ::= ',' <spse> SAFEUTF8STRING <spse> <userGroups_e> | e
<subtree> ::= "subtree" <sps> '{' <spse> <subtreeSpecification> <spse> <subtrees_e> '}'
<subtrees_e> ::= ',' <spse> <subtreeSpecification> <spse> <subtrees_e> | e
<userPermissions> ::= "userPermissions" <sps> '{' <spse> <userPermissions_ee> '}'
<userPermissions_ee> ::= <userPermission> <spse> <userPermissions_e> | e
<userPermissions_e> ::= ',' <spse> <userPermission> <spse> <userPermissions_e> | e
<userPermission> ::= '{' <spse> <precedence_ee> <spse> '}'
<precedence_ee> ::=
"precedence" <sps> INTEGER <spse> ',' <spse> <protectedItems> <spse> ',' <spse> <grantsAndDenials>
| <protectedItems> <spse> ',' <spse> <grantsAndDenials>
<subtreeSpecification> ::= '{' <spse> <subtreeSpecification_e> '}'
<subtreeSpecification_e> ::=
<ss_base> <ss_base_follower_e> <spse>
| <ss_specificExclusions> <ss_specificExclusions_follower_e> <spse>
| <ss_minimum> <ss_minimum_follower_e> <spse>
| <ss_maximum> <ss_maximum_follower_e> <spse>
| <ss_specificationFilter> <spse>
| e
<ss_base_follower_e> ::= ',' <spse> <ss_base_follower> | e
<ss_base_follower> ::=
<ss_specificExclusions> <ss_specificExclusions_follower_e>
| <ss_minimum> <ss_minimum_follower_e>
| <ss_maximum> <ss_maximum_follower_e>
| <ss_specificationFilter>
<ss_specificExclusions_follower_e> ::= ',' <spse> <ss_specificExclusions_follower> | e
<ss_specificExclusions_follower> ::=
<ss_minimum> <ss_minimum_follower_e>
| <ss_maximum> <ss_maximum_follower_e>
| <ss_specificationFilter>
<ss_minimum_follower_e> ::= ',' <spse> <ss_minimum_follower> | e
<ss_minimum_follower> ::=
<ss_maximum> <ss_maximum_follower_e>
| <ss_specificationFilter>
<ss_maximum_follower_e> ::= ',' <spse> <ss_specificationFilter> | e
<ss_base> ::= "base" <sps> SAFEUTF8STRING
<ss_specificExclusions> ::= "specificExclusions" <sps> <specificExclusions>
<specificExclusions> ::= '{' <spse> <specificExclusions_e> '}'
<specificExclusions_e> ::= <specificExclusion> <spse> <specificExclusions_ee> | e
<specificExclusions_ee> ::= ',' <spse> <specificExclusion> <spse> <specificExclusions_ee> | e
<specificExclusion> ::= "chopBefore" ':' SAFEUTF8STRING | "chopAfter" ':' SAFEUTF8STRING
<ss_minimum> ::= "minimum" <sps> INTEGER
<ss_maximum> ::= "maximum" <sps> INTEGER
<ss_specificationFilter> ::= "specificationFilter" <sps> <refinement>
<oid> ::= DESCR | NUMERICOID
<refinement> ::= <item> | <and> | <or> | <not>
<item> ::= "item" ':' <oid>
<and> ::= "and" ':' <refinements>
<or> ::= "or" ':' <refinements>
<not> ::= "not" ':' <refinements>
<refinements> ::= '{' <spse> <refinements_e> '}'
<refinements_e> ::= <refinement> <spse> <refinements_ee> | e
<refinements_ee> ::= ',' <spse> <refinement> <spse> <refinements_ee> | e
<sps> ::= ' ' <spse>
<spse> ::= ' ' <spse> | e
// Lexer
protected SAFEUTF8CHAR :
'\u0001'..'\u0021' |
'\u0023'..'\u007F' |
'\u00c0'..'\u00d6' |
'\u00d8'..'\u00f6' |
'\u00f8'..'\u00ff' |
'\u0100'..'\u1fff' |
'\u3040'..'\u318f' |
'\u3300'..'\u337f' |
'\u3400'..'\u3d2d' |
'\u4e00'..'\u9fff' |
'\uf900'..'\ufaff' ;
',' : ',' ;
' ' : ' ' ;
':' : ':' ;
protected DIGIT : '0' | LDIGIT ;
protected LDIGIT : '1'..'9' ;
protected ALPHA : 'A'..'Z' | 'a'..'z' ;
protected INTEGER : DIGIT | ( LDIGIT ( DIGIT )+ ) ;
protected HYPHEN : '-' ;
protected NUMERICOID : INTEGER ( DOT INTEGER )+ ;
protected DOT : '.' ;
INTEGER_OR_NUMERICOID
:
( INTEGER DOT ) => NUMERICOID
|
INTEGER
;
SAFEUTF8STRING : '"'! ( SAFEUTF8CHAR )* '"'! ;
DESCR
:
( "attributeValue" ( ' '! )+ '{' ) =>
"attributeValue"! ( ' '! )+ '{'! (options { greedy=false;}:. )* '}'!
| ( "rangeOfValues" ( ' '! )+ '(') =>
"rangeOfValues"! ( ' '! )+ '(' (options { greedy=false;}:. )* ')'
| ALPHA ( ALPHA | DIGIT | HYPHEN )*
;