The Directory Server supports the use of parameterized ACIs to control access to subtrees with homogenous administrative group or user patterns, which can be used in multi-tenant deployments. A single parameterized ACI can take the place of specifying identical ACIs on each tenant’s subtree. For example, the following parameterized ACI:

(target="ldap:///o=($1),dc=example,dc=com")(version 3.0; acl \
"Subtree Admin Group members may search for and read entries in their subtree."; allow \
(search, read) groupdn="ldap:///cn=Subtree Admin Group,ou=groups,o=($1),dc=example,dc=com";)
Enables:
  • Members of a group with DN "cn=Subtree Admin Group,ou=groups,o=Customers, dc=example,dc=com" to search for and read entries in the "o=Customers, dc=example,dc=com" subtree.
  • Members of a group with DN "cn=Subtree Admin Group,ou=groups,o=Partners, dc=example,dc=com" to search for and read entries in the "o=Partners, dc=example,dc=com" subtree

The same access is granted for any substitution value for the ($1) parameter variable. If an operation tried to read the uid=user.1,o=acme,dc=example,dc=com entry, this ACI would be considered. This ACI would allow a read action, if the operation's user is a member of the cn=Subtree Admin Group,ou=groups,o=acme,dc=example,dc=com group.

Attribute values from the target DN can be replaced with different variables ($#) and then reference those variables in the group DN or user DN. The string representation of a parameter variable is constructed as follows:
  • an open parenthesis
  • a dollar sign
  • a positive integer
  • a closing parenthesis
In another example:
"population=($2),ou=Populations,environment=($1),ou=Environments,o=Acme"
The ($2) variable is the population ID in the DN of the target entry, and ($1) is the environment ID in the DN of the target entry. Those values from the target entry's DN are then substituted into the group DN or user DN value.

Parameter variables present in a parameterized ACI's target will be associated with the actual values from the resource DN. Each actual value will be substituted for its respective parameter variable in the ACI's target, and group bind rule DNs when performing access control on the resource entry. Parameter variables can be used in multiple RDNs in a parameterized target. A given RDN may have at most one parameter variable as its attribute value, and a given parameter variable may appear only once in the parameterized target.

The following values are examples of valid parameterized target DNs:
  • ou=($1),dc=example,dc=com
  • population=($2),ou=Populations,environment=($1),ou=Environments,o=Acme
  • o=($1) (for a global ACI)
An ACI on an entry can only apply to that entry's subtree. If an ACI with a parameterized target is stored on an entry, that entry's DN must appear in a non-parameterized form as the rightmost RDNs of the parameterized target's DN. For example, if an ACI with a parameterized target were stored on the dc=example,dc=com entry, that parameterized target must end in dc=example,dc=com in a non-parameterized form. Global ACIs do not have this restriction. Each global ACI can have parameter variables in any or all of its parameterized target's RDNs. Additional restrictions for parameterized targets include:
  • They may not be pattern ACIs. That is, they may not contain wildcards ('*').
  • RDNs that are parameterized must be single-valued. For example, a given parameterized RDN may not consist of two or more type-value pairs joined by '+'.