targattrfilters keyword targets specific attribute values that
match a filtered search criteria. This keyword allows you to set up an ACI that grants or
denies permissions on an attribute value if that value meets the filter criteria. The
targattrfilters keyword applies to individual values of an attribute, not
to the whole attribute. The keyword also allows the use of wildcards in the filters.
The keyword clause has the following formats:
(target = "add=attr1:Filter1 && attr2:Filter2... && attrn:FilterN, del=attr1:Filter1 && attr2:Filter2 ... && attrN:FilterN" )
- add represents the operation of adding an attribute value to the entry
- del represents the operation of removing an attribute value from the entry
- attr1, attr2... attrN represents the targeted attributes
- filter1, filter2 ... filterN represents filters that identify matching attribute values
- When adding or deleting an entry containing an attribute targeted a
targattrfilterselement, each value of that attribute must satisfy the corresponding filter.
- When modifying an entry, if the operation adds one or more values for an attribute
targeted by a
targattrfilterselement, each value must satisfy the corresponding filter. If the operation deletes one or more values for a targeted attribute, each value must satisfy the corresponding filter.
- When replacing the set of values for an attribute targeted by a
targattrfilterselement, each value removed must satisfy the delete filters, and each value added must satisfy the add filters.
The following example allows any user who is part of the
admins group to add the
aci:(targattrfilter="add=ds-privilege-name:(ds-privilege-name=soft-delete-read)") (version 3.0; acl "Allow members of the directory server admins group to grant the soft-delete-read privilege"; allow (write) groupdn="ldap:///cn=directory server admins,ou=group,dc=example,dc=com";)