The rights section of an ACI defines the permissions that are granted or denied to requesters identified by the bind rule for operations against the data specified by the target.
Every ACI must allow or deny one or more rights.
read
The read
right covers access to attributes within search result entries. If a
client does not have the read
right for an attribute in a search
result entry, then it is stripped out of the entry when it is returned to the
client.
search
The search
right covers permission to use attributes in a
search filter. When performing a search (regardless of its scope), the requester
must have search
permission for all attributes in the filter.
If the requester has search
permission for all attributes used in
the filter, but only for a portion of the subtree used as the scope for the search,
then only entries that reside in portions of the DIT where the search right is
granted can be retrieved. For example, if a user has the search right for the
cn
attribute below
ou=People,dc=example,dc=com
, then a search based at
dc=example,dc=com
with a filter that contains the
cn
attribute only returns matching entries below
ou=People,dc=example,dc=com
even if there are other entries
matching the filter below dc=example,dc=com
but outside of
ou=People,dc=example,dc=com
.
compare
The compare
right covers permission to perform a compare
assertion for a specified set of attributes.
A compare assertion includes an entry DN, an attribute name, and an assertion value.
If the specified entry has the given attribute with the provided assertion value,
then the server returns a result of compareTrue
(result code 6). If
the entry does not have the indicated attribute value, then the server returns a
result of compareFalse
(result code 5). However, if the requester
does not have permission to perform that compare assertion, then the server returns
a result of insufficientAccessRights
(result code 50).
write
The write
right covers permission to update attributes in an entry. This
includes modify operations, and it also includes modify DN operations that do not
specify a newSuperior (that is, modify distinguished name (DN) operations that only
attempt to rename an entry and do not attempt to move it beneath a new parent). This
does not include adding new entries or deleting existing entries.
selfwrite
The selfwrite
right is a limited subset of the
write
permission. It covers permission for a user to add their
own DN to the set of values for specified attributes or for a user to remove their
own DN from the set of values for those attributes. This is typically used to allow
a user to add themselves to or remove themselves from static groups.
The selfwrite
right should only be used for attributes that have a
syntax of either distinguished name or name and optional UID. Attempts to use it for
attributes with other syntaxes can fail or result in unexpected behavior.
add
The add
right covers permission to add new entries to the server.
The requester must have add
permission for at least one attribute
included in the entry to be added.
delete
The delete
right covers permission to remove entries from the server. For the
delete operation, the requester only needs to have the delete
right
for the target entry and not for individual attributes within the entry. However,
the server enforces any targattrfilters
restrictions for attribute
values contained in the entry to be deleted. If a targattrfilters
restriction is used to limit the set of values that the requester can delete, then
they are only allowed to delete entries containing those values.
export
and import
Although you might assume otherwise from their names, the
export
and import
rights do not have any
relation to exporting data to LDIF or importing data from LDIF. Instead, these
rights cover permission to move entries within the DIT (using a modify DN operation
that includes a newSuperior). The export
right is required to move
an entry out from under its current parent, and the import
right is
required to move the entry below its new parent.
These rights are not required to perform a modify DN operation that does not attempt
to move the entry below a new parent. That is covered by the write
right.
all
The all
right is a shorthand notation that includes the capabilities
of all of the other access control rights except the proxy
right.
Using the all
right is equivalent to using read
,
search
, compare
, write
,
selfwrite
, add
, delete
,
export
, and import
.
proxy
The proxy
right covers the ability to process an operation
under the authority of an alternate authorization identity. This includes:
- Requests that include a proxied authorization request control
- Requests that include an intermediate client request control with a userIdentity
- SASL bind requests that request an alternate authorization identity
Because the ability to impersonate another use is a very sensitive operation, the
requester must have the proxied-auth
privilege for the operation to
be allowed.