Every ACI must allow or deny one or more rights.


The read right covers access to attributes within search result entries. If a client does not have the read right for an attribute in a search result entry, then it is stripped out of the entry when it is returned to the client.


The search right covers permission to use attributes in a search filter. When performing a search (regardless of its scope), the requester must have search permission for all attributes in the filter.

If the requester has search permission for all attributes used in the filter, but only for a portion of the subtree used as the scope for the search, then only entries that reside in portions of the DIT where the search right is granted can be retrieved. For example, if a user has the search right for the cn attribute below ou=People,dc=example,dc=com, then a search based at dc=example,dc=com with a filter that contains the cn attribute only returns matching entries below ou=People,dc=example,dc=com even if there are other entries matching the filter below dc=example,dc=com but outside of ou=People,dc=example,dc=com.


The compare right covers permission to perform a compare assertion for a specified set of attributes.

A compare assertion includes an entry DN, an attribute name, and an assertion value. If the specified entry has the given attribute with the provided assertion value, then the server returns a result of compareTrue (result code 6). If the entry does not have the indicated attribute value, then the server returns a result of compareFalse (result code 5). However, if the requester does not have permission to perform that compare assertion, then the server returns a result of insufficientAccessRights (result code 50).


The write right covers permission to update attributes in an entry. This includes modify operations, and it also includes modify DN operations that do not specify a newSuperior (that is, modify distinguished name (DN) operations that only attempt to rename an entry and do not attempt to move it beneath a new parent). This does not include adding new entries or deleting existing entries.


The selfwrite right is a limited subset of the write permission. It covers permission for a user to add their own DN to the set of values for specified attributes or for a user to remove their own DN from the set of values for those attributes. This is typically used to allow a user to add themselves to or remove themselves from static groups.

The selfwrite right should only be used for attributes that have a syntax of either distinguished name or name and optional UID. Attempts to use it for attributes with other syntaxes can fail or result in unexpected behavior.


The add right covers permission to add new entries to the server. The requester must have add permission for at least one attribute included in the entry to be added.


The delete right covers permission to remove entries from the server. For the delete operation, the requester only needs to have the delete right for the target entry and not for individual attributes within the entry. However, the server enforces any targattrfilters restrictions for attribute values contained in the entry to be deleted. If a targattrfilters restriction is used to limit the set of values that the requester can delete, then they are only allowed to delete entries containing those values.

export and import

Although you might assume otherwise from their names, the export and import rights do not have any relation to exporting data to LDIF or importing data from LDIF. Instead, these rights cover permission to move entries within the DIT (using a modify DN operation that includes a newSuperior). The export right is required to move an entry out from under its current parent, and the import right is required to move the entry below its new parent.

These rights are not required to perform a modify DN operation that does not attempt to move the entry below a new parent. That is covered by the write right.


The all right is a shorthand notation that includes the capabilities of all of the other access control rights except the proxy right. Using the all right is equivalent to using read, search, compare, write, selfwrite, add, delete, export, and import.


The proxy right covers the ability to process an operation under the authority of an alternate authorization identity. This includes:

  • Requests that include a proxied authorization request control
  • Requests that include an intermediate client request control with a userIdentity
  • SASL bind requests that request an alternate authorization identity

Because the ability to impersonate another use is a very sensitive operation, the requester must have the proxied-auth privilege for the operation to be allowed.