targattrfilters keyword targets specific attribute values that
match a filtered search criteria.
This keyword allows you to set up an ACI that grants or denies permissions on an
attribute value if that value meets the filter criteria. The
targattrfilters keyword applies to individual values of an
attribute, not to the whole attribute. The keyword also allows the use of wildcards in
The keyword clause has the following format.
(target = "add=attr1:Filter1 && attr2:Filter2... && attrn:FilterN, del=attr1:Filter1 && attr2:Filter2 ... && attrN:FilterN" )
- Represents the operation of adding an attribute value to the entry.
- Represents the operation of removing an attribute value from the entry.
- Represents the targeted attributes.
- Represents filters that identify matching attribute values.
The following conditions determine when the attribute must satisfy the filter:
- When adding or deleting an entry containing an attribute targeted a
targattrfilterselement, each value of that attribute must satisfy the corresponding filter.
- When modifying an entry, if the operation adds one or more values for an attribute
targeted by a
targattrfilterselement, each value must satisfy the corresponding filter. If the operation deletes one or more values for a targeted attribute, each value must satisfy the corresponding filter.
- When replacing the set of values for an attribute targeted by a
targattrfilterselement, each value removed must satisfy the delete filters and each value added must satisfy the add filters.
The following example allows any user who is part of the
cn=directory server admins group to add the
aci:(targattrfilter="add=ds-privilege-name:(ds-privilege-name=soft-delete-read)") (version 3.0; acl "Allow members of the directory server admins group to grant the soft-delete-read privilege"; allow (write) groupdn="ldap:///cn=directory server admins,ou=group,dc=example,dc=com";)