--- title: The get effective rights request control description: After you have defined your access control policy, we recommend that you verify that it is working as expected. component: pingdirectory version: 11.0 page_id: pingdirectory:pingdirectory_security_guide:pd_sec_get_effective_rights_request canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_security_guide/pd_sec_get_effective_rights_request.html revdate: September 13, 2023 --- # The get effective rights request control After you have defined your access control policy, we recommend that you verify that it is working as expected. While you can do this by issuing requests against the server to ensure that operations are permitted and rejected as appropriate, the PingDirectory server also provides support for a get effective rights request control that can be used to determine what access a given user has to a specified entry. This control can be used programmatically through the [UnboundID LDAP SDK for Java](https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/sdk/unboundidds/controls/GetEffectiveRightsRequestControl.html), but it can also be done from the command line using the `ldapsearch` tool. The tool provides the following arguments pertaining this feature: * `--getEffectiveRightsAuthzID` Identifies the user whose access control rights should be examined. This should be an authorization ID that either identifies the user by distinguished name (DN) (prefixed by `dn:`) or username (prefixed by `u:`). * `--getEffectiveRightsAttribute` Specifies the name of an attribute for which you wish to obtain the specified user's effective rights. This argument can be used multiple times to provide multiple attribute names. For example: ```shell $ bin/ldapsearch --hostname ds.example.com \ --port 636 \ --useSSL \ --bindDN "cn=Directory Manager" \ --baseDN dc=example,dc=com \ --scope base \ --getEffectiveRightsAuthzID dn:uid=test.user,ou=People,dc=example,dc=com \ --getEffectiveRightsAttribute objectClass \ --getEffectiveRightsAttribute dc \ "(objectClass=*)" \ aclRights Enter the bind password: dn: dc=example,dc=com aclRights;attributeLevel;objectclass:search:1,read:1,compare:1,write:0, selfwrite_add:0,selfwrite_delete:0,proxy:0 aclRights;attributeLevel;dc: search:1,read:1,compare:1,write:0, selfwrite_add:0,selfwrite_delete:0,proxy:0 aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0 # Result Code: 0 (success) # Number of Entries Returned: 1 ``` Each search result entry that is returned includes an `aclRights` attribute that indicates what rights the target user has when interacting with that entry. If you do not use the `--getEffectiveRightsAttribute` argument to specify any attribute names, then only the `aclRights;entryLevel` attribute is used to show the rights the user has when interacting with the entry itself will be returned. Otherwise, there is an additional `aclRights;attributeLevel` value for each requested attribute showing the rights for that attribute.