The Sun/Oracle access control model does not differentiate between user attributes and operational attributes. With Sun/Oracle, using targetattr="*" will automatically target both user and operational attributes. Using an exclusion list like targetattr!="userPassword" will automatically target all operational attributes in addition to all user attributes except userPassword. This behavior is responsible for several significant security holes in which users are unintentionally given access to operational attributes. In some cases, it allows users to do things like exempt themselves from password policy restrictions.

In the PingDirectory Server, operational attributes are treated differently from user attributes and operational attributes are never automatically included. As such, targetattr="*" will target all user attributes but no operational attributes, and targetattr!="userPassword" will target all users attributes except userPassword, but no operational attributes. Specific operational attributes can be targeted by including the names in the list, like targetattr="creatorsName||modifiersName". All operational attributes can be targeted using the "+" character. So, targetattr="+" targets all operational attributes but no user attributes and targetattr="*||+" targets all user and operational attributes.