h2. Introduction

An *Administrative Point* is an entry which is defining a starting point from which some of the four existing administrative roles will span. It's important to understand than an Administrative Point (or *AP*) comes hand in hand with the associated *Subentries*, otherwise it's useless.

Any entry can be defined as an *AP*.

In the following schema, we have depicted a DIT with three *AP*s, the big one being an *AAP*, the blue one is a *SAP* and the green one is an *IAP*. They all define an area on which they are active and the dashed lines for the *IAP* are used to express the fact that an entry within the *IAP* area still depends on the higher *AAP*.


!APs-tree.png|border=1!


Directly under an *AP*, we will find some *Subentries* defining the scopes on which they are active. These scopes (one per subentry) are called *SubtreeSpecification*, and define the entries that can be handled by the role the Subentry is defined for.

The schema shows the relation between the *AP* and one *SubEntry* :


!subentry.png|border=1!


h3. Administrative Point
We will describe the types of Administrative Points we are managing and the way they impact their associated Administrative Areas (*AA*)

We have three different kind of *AP* :
* Autonomous AP ( *AAP*)
* Specific AP (*SAP*)
* Inner AP (*IAP*)

Those three different *AP*s are related with each other in this way :
* *AAPs* manage an *AA* as if all the possible type of *SAP* where declared for this area
* *SAPs* manage an *AA* with respect to one specific kind of role (Access Control, Collective Attributes, SubSchema or Trigger Execution )
* IAPs manage an *AA* inside another *AP*
* An *AAP* or a *SAP* start at some point in the tree, and all the entries below this *AAP*/*SAP* aren't related to any other *AAP*. That also means that if an *AAP*/*SAP* is created below an existing AP, then all the entries it covers are unlinked from the previous AP (except that for *SAP*, we just logically keep a link to the higher AP for all the other aspects but the one covered by the new *SAP*)
* An *IAP* _must_ be included into another *AP*, being it an *AAP*, *SAP* or *IAP*. It controls a specific aspect too, as for the *SAP*, but it will be combined with any of the above *AP*.

h3. Roles
*AP* are managing some administrative aspect, defined by a role :
* ACI : Manage the access control
* CollectiveAttribute : Manage the collective attributes
* SubSchema (not handled atm)
* TriggrExecution : Manage the execution of stored procedures

h2. Subentry

Once we have defined an *AP*, we can add some *subentries* which contain the description of the administrative actions, including :
* The area this *subentry* covers, defined by a *SubtreeSpecification*, named *subtree*.


The *SubtreeSpecification* can be complex. Its grammar is given below :

{code}
<subtreeSpecification> ::= '{' <sps-e> <subtreeSpecificationComponent-e> '}'

<subtreeSpecificationComponent-e> ::= <subtreeSpecificationComponent> <sps-e> <subtreeSpecificationComponent-list> | e

<subtreeSpecificationComponent-list> ::= ',' <sps-e> <subtreeSpecificationComponent> <sps-e> <subtreeSpecificationComponent-list> | e

<subtreeSpecificationComponent> ::=
'base' <sps> DN
| 'specificExclusions' <sps> '{' <sps-e> <specificExclusion-e> '}'
| 'minimum' <sps> INTEGER
| 'maximum' <sps> INTEGER
| 'specificationFilter' <sps> <refinement-filter>

<specificExclusion-e> ::= <specificExclusion> <sps-e> <specificExclusion-list> | e

<specificExclusion-list> ::= ',' <sps-e> <specificExclusion> <sps-e> <specificExclusion-list> | e

<specificExclusion> ::= 'chopBefore' <sps-e> ':' <sps-e> DN | 'chopAfter' <sps-e> ':' <sps-e> DN

<refinement-filter> ::= <refinement> | FILTER

<refinement> ::=
'item' <sps-e> ':' <sps-e> <oid>
| 'and' <sps-e> ':' <sps-e> '{' <sps-e> <refinement-e> '}'
| 'or' <sps-e> ':' <sps-e> '{' <sps-e> <refinement-e> '}'
| 'not' <sps-e> ':' <sps-e> <refinement>

<refinement-e> ::= <refinement> <sps-e> <refinement-list> | e

<refinement-list> ::= ',' <sps-e> <refinement> <sps-e> <refinement-list> | e

<oid> ::= DESCR | NUMERICOID

<sps> ::= ' ' <sps-e>

<sps-e> ::= ' ' <sps-e> | e
{code}

Some exemple of such subtrees :

{code}
{} : select all the entries below the AdministrativePoint entry
{code}

{code}
{ base "ou=users" } : select all the entries below the ou=users branch starting from the AdministrativePoint entry
{code}

{code}
{ specificExclusions { chopBefore:"ou=groups" } } : exclude all the entries below the "ou=groups" branch
{code}