This should generally be limited to access control rules that meet one or more of the following criteria:

  • They need to apply to entries in backends other than those containing user data. This includes the root DSE, the server configuration, monitor entries, the LDAP changelog, administrative tasks, and other areas of the server. If these ACIs apply to data in a specific backend, then the target keyword should be used to limit the scope of the rule.
  • They need to apply to one or more extended operations (using the extop target). ACIs that grant or deny access to extended operations must be defined in the global configuration.
  • They need to apply to request controls (using the targetcontrol target). Although it may be possible to define ACIs pertaining to request controls in user data (especially if those controls are only expected to be used when issuing requests targeting user data), ACIs pertaining to request controls are commonly placed in the global configuration.

For example, the following configuration change can be used to define a global ACI that grants members of the “Changelog Readers” group permission to read entries in the LDAP changelog.

dsconfig set-access-control-handler-prop --add 'global-aci:(target="ldap:///cn=changelog")(version 3.0; acl "Allow changelog read access"; allow (read,search,compare) groupdn="ldap:///ou=Changelog Readers,ou=Groups,dc=example,dc=com";)'