Page created: 22 Jul 2020
|
Page updated: 12 Dec 2022
Permissions indicate the types of operations to which an access control rule might apply. You can specify if the user or group of users are allowed or not allowed to carry out a specific operation. For example, you would grant read access to a targeted entry or entries using "allow (read)" permission. Or you can specifically deny access to the target entries and/or attributes using the "deny (read)" permission. You can list out multiple permissions as required in the ACI.
allow (permission1 ...,
permission2
,...permissionN)
deny (permission1 ...,
permission2
,...permissionN)
The following keywords are supported for use in the permissions portion of ACIs:
Permission | Description |
---|---|
add | Indicates that the access control should apply to add operations. |
compare | Indicates that the access control should apply to compare operations, as well as to search operations with a base-level scope that targets a single entry. |
delete | Indicates that the access control should apply to delete operations. |
export | Indicates that the access control should only apply to modify DN operations in
which an entry is moved below a different parent by specifying a new superior DN in
the modify DN request. The requestor must have the export
permission for operations against the entry's original DN. The requestor must have
the import permission for operations against the entry's new
superior DN. For modify DN operations that merely alter the RDN of an entry but
keeps it below the same parent (i.e., renames the entry), only the
write permission is required. This is true regardless of whether
the entry being renamed is a leaf entry or has subordinate entries. |
import | See the description for the export permission. |
proxy | Indicates that the access control rule should apply to operations that attempt to use an alternate authorization identity (for example, operations that include a proxied authorization request control, an intermediate client request control with an alternate authorization identity, or a client that has authenticated with a SASL mechanism that allows an alternate authorization identify to be specified). |
read | Indicates that the access control rule should apply to search result entries returned by the server. |
search | Indicates that the access control rule should apply to search operations with a non-base scope. |
selfwrite | Indicates that the access control rule should apply to operations in which a user attempts to add or remove his or her own DN to the values for an attribute (for example, whether users may add or remove themselves from groups). |
write | Indicates that the access control rule should apply to modify and modify DN operations. |
all | An aggregate permission that includes all other permissions except “proxy.” This is equivalent to providing a permission of “add, compare, delete, read, search, selfwrite, write, export, and import.” |