--- title: Parameterized ACIs description: Parameterized ACIs are useful for cases in which the data in a PingDirectory server instance has the same structure repeated many times, and when each structure needs to have a similar set of access control rules. component: pingdirectory version: 11.0 page_id: pingdirectory:pingdirectory_security_guide:pd_sec_parameterized_acis canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_security_guide/pd_sec_parameterized_acis.html revdate: September 13, 2023 --- # Parameterized ACIs Parameterized ACIs are useful for cases in which the data in a PingDirectory server instance has the same structure repeated many times, and when each structure needs to have a similar set of access control rules. This is especially common in a multi-tenant environment in which users within a tenant might need access to other entries within the same tenant, but not to other entries outside their organization. For example, consider a server that has a DIT structure like the following: * `dc=example, dc=com` * `ou=tenants` * `ou=Company A` * `ou=People` * `ou=Groups` * `cn=Administrators` * `ou=Company B` * `ou=People` * `ou=Groups` * `cn=Administrators` * `ou=Company C` * `ou=People` * `ou=Groups` * `cn=Administrators` In each case, members of the `cn=Administrators,ou=Groups,ou=,ou=tenants,dc=example,dc=com` group might need to be able to manage entries after `ou=,ou=tenants,dc=example,dc=com`. While it might be possible to accomplish this by creating similar ACIs throughout the DIT (one for each tenant), this can also be accomplished by creating one parameterized ACI like the following example. ``` (target="ldap:///ou=($1),ou=tenants,dc=example,dc=com")(version 3.0; acl "Allow organization administrators to manage entries in their organization"; allow (all) groupdn="ldap:///cn=Administrators,ou=Groups,ou=($1),ou=tenants,dc=example,dc=com";) ``` In this case, the "($1)" is a placeholder that matches between the `target` and `groupdn` elements of the access control rule. If the client is authenticated as a user who is a member of any group that matches that pattern in the `target` bind rule, then the value that matches the placeholder within that pattern is also substituted in place of the same pattern within the target element. Parameterized ACIs can also be used in conjunction with the `userdn` bind rule. For example, the following ACI grants any user within the organization permission to access a select set of attributes from any user within the same organization. ``` (target="ldap:///ou=($1),ou=tenants,dc=example,dc=com")(targetattr="uid||cn||givenName||sn||mail")(version 3.0; acl "Allow users within an organization to access select attributes from other entries in the same organization"; allow (read,search,compare) userdn="ldap:///uid=($2),ou=People,ou=($1),ou=tenants,dc=example,dc=com";) ``` Parameterized DNs used in the `userdn` or `groupdn` bind rules can have multiple placeholders. Not all of those placeholders need to be used in the target.