The rights section of an ACI defines the permissions that are granted or denied to requesters identified by the bind rule for operations against the data specified by the target.
Every ACI must allow or deny one or more rights.
read right covers access to attributes within search result entries. If a
client does not have the
read right for an attribute in a search
result entry, then it is stripped out of the entry when it is returned to the
search right covers permission to use attributes in a
search filter. When performing a search (regardless of its scope), the requester
search permission for all attributes in the filter.
If the requester has
search permission for all attributes used in
the filter, but only for a portion of the subtree used as the scope for the search,
then only entries that reside in portions of the DIT where the search right is
granted can be retrieved. For example, if a user has the search right for the
cn attribute below
ou=People,dc=example,dc=com, then a search based at
dc=example,dc=com with a filter that contains the
cn attribute only returns matching entries below
ou=People,dc=example,dc=com even if there are other entries
matching the filter below
dc=example,dc=com but outside of
compare right covers permission to perform a compare
assertion for a specified set of attributes.
A compare assertion includes an entry DN, an attribute name, and an assertion value.
If the specified entry has the given attribute with the provided assertion value,
then the server returns a result of
compareTrue (result code 6). If
the entry does not have the indicated attribute value, then the server returns a
compareFalse (result code 5). However, if the requester
does not have permission to perform that compare assertion, then the server returns
a result of
insufficientAccessRights (result code 50).
write right covers permission to update attributes in an entry. This
includes modify operations, and it also includes modify DN operations that do not
specify a newSuperior (that is, modify distinguished name (DN) operations that only
attempt to rename an entry and do not attempt to move it beneath a new parent). This
does not include adding new entries or deleting existing entries.
selfwrite right is a limited subset of the
write permission. It covers permission for a user to add their
own DN to the set of values for specified attributes or for a user to remove their
own DN from the set of values for those attributes. This is typically used to allow
a user to add themselves to or remove themselves from static groups.
selfwrite right should only be used for attributes that have a
syntax of either distinguished name or name and optional UID. Attempts to use it for
attributes with other syntaxes can fail or result in unexpected behavior.
add right covers permission to add new entries to the server.
The requester must have
for all attributes included in the entry to be added.
delete right covers permission to remove entries from the server. For the
delete operation, the requester only needs to have the
for the target entry and not for individual attributes within the entry. However,
the server enforces any
targattrfilters restrictions for attribute
values contained in the entry to be deleted. If a
restriction is used to limit the set of values that the requester can delete, then
they are only allowed to delete entries containing those values.
Although you might assume otherwise from their names, the
import rights do not have any
relation to exporting data to LDIF or importing data from LDIF. Instead, these
rights cover permission to move entries within the DIT (using a modify DN operation
that includes a newSuperior). The
export right is required to move
an entry out from under its current parent, and the
import right is
required to move the entry below its new parent.
These rights are not required to perform a modify DN operation that does not attempt
to move the entry below a new parent. That is covered by the
all right is a shorthand notation that includes the capabilities
of all of the other access control rights except the
all right is equivalent to using
proxy right covers the ability to process an operation
under the authority of an alternate authorization identity. This includes:
- Requests that include a proxied authorization request control
- Requests that include an intermediate client request control with a userIdentity
- SASL bind requests that request an alternate authorization identity
Because the ability to impersonate another use is a very sensitive operation, the
requester must have the
proxied-auth privilege for the operation to