The targattrfilters keyword targets specific attribute values that match a filtered search criteria. This keyword allows you to set up an ACI that grants or denies permissions on an attribute value if that value meets the filter criteria. The targattrfilters keyword applies to individual values of an attribute, not to the whole attribute. The keyword also allows the use of wildcards in the filters.

The keyword clause has the following formats:

(target = "add=attr1:Filter1 && attr2:Filter2... && attrn:FilterN,
del=attr1:Filter1 && attr2:Filter2 ... && attrN:FilterN" )
where
  • add represents the operation of adding an attribute value to the entry
  • del represents the operation of removing an attribute value from the entry
  • attr1, attr2... attrN represents the targeted attributes
  • filter1, filter2 ... filterN represents filters that identify matching attribute values
The following conditions determine when the attribute must satisfy the filter:
  • When adding or deleting an entry containing an attribute targeted a targattrfilters element, each value of that attribute must satisfy the corresponding filter.
  • When modifying an entry, if the operation adds one or more values for an attribute targeted by a targattrfilters element, each value must satisfy the corresponding filter. If the operation deletes one or more values for a targeted attribute, each value must satisfy the corresponding filter.
  • When replacing the set of values for an attribute targeted by a targattrfilters element, each value removed must satisfy the delete filters, and each value added must satisfy the add filters.

The following example allows any user who is part of the cn=directory server admins group to add the soft-delete-read privilege.

aci:(targattrfilter="add=ds-privilege-name:(ds-privilege-name=soft-delete-read)")
  (version 3.0; acl "Allow members of the directory server admins group to grant the
   soft-delete-read privilege"; allow (write) 
   groupdn="ldap:///cn=directory server admins,ou=group,dc=example,dc=com";)