---
title: ACIs
description: Instructions for completing the service request form to add, modify, or remove PingDirectory ACIs.
component: pingoneadvancedservices
page_id: pingoneadvancedservices:task_summary_table:p1as_pd_acis
canonical_url: https://docs.pingidentity.com/pingoneadvancedservices/task_summary_table/p1as_pd_acis.html
revdate: June 27, 2024
section_ids:
  about-this-task: About this task
  steps: Steps
---

# ACIs

To add, modify, or remove access control instructions (ACIs), submit a request through the service request form, accessible from the [Support Portal](https://support.pingidentity.com/s/).

## About this task

Global ACIs are a set of ACIs that can apply to entries anywhere in the server, but they can also be scoped so that they only apply to a specific set of entries. These ACIs work in conjunction with access control rules stored in user data and provide a convenient way to define ACIs that span disparate portions of the DIT (Directory Information Tree).

You can apply Global ACIs to administrator access, anonymous and authenticated access, delegated access to a manager or for proxy authorization. The following table includes access control components, descriptions, and the syntax used for each component.

| Access Control Components | Description                                                                                                           | Syntax                                                                                                          |
| ------------------------- | --------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- |
| targets                   | This component specifies the set of entries or attributes that the access control rule applies to.                    | Syntax: `(target keyword = \|\| != expression)`                                                                 |
| name                      | This component specifies the name of the ACI.                                                                         |                                                                                                                 |
| permissions               | This component specifies the type of operations to which an access control rule might apply.                          | Syntax: `allow\|\|deny (permission)`                                                                            |
| bind rules                | This component specifies the criteria that indicate whether an access control rule should apply to a given requester. | Syntax: `bind rule keyword = \|\|!= expression;`The bind rule syntax requires that it be terminated with a ";". |

You can find more information about ACIs in [Defining global ACIs](https://docs.pingidentity.com/pingdirectory/latest/pingdirectory_security_guide/pd_sec_define_global_acis.html) in the PingDirectory documentation.

## Steps

1. Complete the following fields:

   * **Subject**: Enter a description of your request, including the action to be taken.

   * **Environment Type**: Specify the type of environment affected by this request.

   * **Proposed Change Window**: Specify the dates or times in which you want the work complete.

2. In the **Capability** list, select **PingDirectory service request** > **ACIs**.

3. If you want to use an ACI that you constructed, select the **Do you have ACI already?** option.

4. In the **Base DN that ACI applies to** field, select the parent Base DN that the ACI should apply to. Note that this ACI will apply to all subtrees below this Base DN.

5. In the **Attributes(s) to apply to (comma separated)** field, provide a comma-separated list of attributes that should be allowed or denied by this ACI.

6. In the **DN of user or group** field, provide the User DN or Group DN that the ACI will apply to, which will determine who is allowed or denied access.

7. In the **Is the target a user or group?** field, indicate whether the target is a user or a group based on the DN provided in the previous step.

8. In the **Does this ACI allow or deny access?** field, indicate whether the ACI should allow access to users with the selected attribute or deny access.

9. In the **Permissions** field, select the permissions you want to grant or deny to the target users or groups.

10. If you have a complete ACI, paste it into the **Advanced (supply a raw ACI)** field.

11. In the **Business Priority** list, select the appropriate description:

    * Change needed by deadline to avoid business impact

    * Change modifies existing functionality

    * Change adds new functionality

12. In the **Description** field, provide a description of the request.

13. If you are tracking your request within your organization, enter the tracking ID or ticket number associated with it in the **Customer Tracking ID** field.

14. To submit your request, click **Save**.