Considerations for access control filtering - PingDirectory

Page created: 26 Jul 2021 |

Page updated: 14 Jan 2022

| 1 min read

9.0 Product PingDirectory Directory Capability Product documentation Content Type Administration User task IT Administrator Administrator Audience System Administrator Software Deployment Method SCIM Standards, specifications, and protocols

The directory server will not return the changelog entry if the user is not allowed to see the target entry.
The directory server strips out any attributes that the user is not allowed to see.
If no changes are left in the entry, no changelog entry will be returned.
If only some attributes are stripped out, the changelog entry will be returned.
Access control filtering on a specific attribute value is not supported. Either all attribute values are returned or none.
If a sensitive attribute policy is used to filter attributes when a client normally accesses the directory server, this policy will not be taken into consideration during notifications since the Sync User is always connecting using the same method. Configure access controls to filter out attributes, not based on the type of connection made to the server, but based on who is accessing the data. The filter-changes-by-user property will be able to evaluate if that person should have access to these attributes.