The targetscope keyword is used to restrict the scope of an access control rule. By default, ACIs use a subtree scope, which means that they are applied to the target entry (either as defined by the target clause of the ACI, or the entry in which the ACI is define if it does not include a target), and all entries below it. However, adding the targetscope element into an access control rule can restrict the set of entries to which it applies.

The following targetscope keyword values are allowed:
  • base. Indicates that the access control rule should apply only to the target entry and not to any of its subordinates.
  • onelevel. Indicates that the access control rule should apply only to entries that are the immediate children of the target entry and not to the target entry itself, nor to any subordinates of the immediate children of the target entry.
  • subtree. Indicates that the access control rule should apply to the target entry and all of its subordinates. This is the default behavior if no targetscope is specified.
  • subordinate. Indicates that the access control rule should apply to all entries below the target entry but not the target entry itself.

The following ACI targets all users to view the operational attributes (supportedControl, supportedExtension, supportedFeatures, supportedSASLMechanisms, vendorName, and vendorVersion) present in the root DSE entry. The targetscope is base to limit users to view only those attributes in the root DSE.

aci: (target="ldap:///")(targetscope="base")
    (targetattr="supportedControl||supportedExtension||
     supportedFeatures||supportedSASLMechanisms||vendorName||vendorVersion")
    (version 3.0; acl "Allow users to view Root DSE Operational Attributes";
     allow (read,search,compare) userdn="ldap:///anyone")