targattrfilters
The targattrfilters
keyword targets specific attribute values that match a filtered search criteria.
This keyword allows you to set up an ACI that grants or denies permissions on an attribute value if that value meets the filter criteria. The targattrfilters
keyword applies to individual values of an attribute, not to the whole attribute. The keyword also allows the use of wildcards in the filters.
The keyword clause has the following format.
(target = "add=attr1:Filter1 && attr2:Filter2... && attrn:FilterN, del=attr1:Filter1 && attr2:Filter2 ... && attrN:FilterN" )
Where:
add
-
Represents the operation of adding an attribute value to the entry.
del
-
Represents the operation of removing an attribute value from the entry.
<attr1>
,<attr2>
…<attrN>
-
Represents the targeted attributes.
<filter1>
,<filter2>
…<filterN>
-
Represents filters that identify matching attribute values.
The following conditions determine when the attribute must satisfy the filter:
-
When adding or deleting an entry containing an attribute targeted a
targattrfilters
element, each value of that attribute must satisfy the corresponding filter. -
When modifying an entry, if the operation adds one or more values for an attribute targeted by a
targattrfilters
element, each value must satisfy the corresponding filter. If the operation deletes one or more values for a targeted attribute, each value must satisfy the corresponding filter. -
When replacing the set of values for an attribute targeted by a
targattrfilters
element, each value removed must satisfy the delete filters and each value added must satisfy the add filters.
The following example allows any user who is part of the cn=directory server
admins
group to add the soft-delete-read
privilege.
aci:(targattrfilter="add=ds-privilege-name:(ds-privilege-name=soft-delete-read)") (version 3.0; acl "Allow members of the the directory server admins group to grant the soft-delete-read privilege"; allow (write) groupdn="ldap:///cn=PingDirectory Server admins,ou=group,dc=example,dc=com";)