• The directory server will not return the changelog entry if the user is not allowed to see the target entry.
  • The directory server strips out any attributes that the user is not allowed to see.
  • If no changes are left in the entry, no changelog entry will be returned.
  • If only some attributes are stripped out, the changelog entry will be returned.
  • Access control filtering on a specific attribute value is not supported. Either all attribute values are returned or none.
  • If a sensitive attribute policy is used to filter attributes when a client normally accesses the directory server, this policy will not be taken into consideration during notifications since the Sync User is always connecting using the same method. Configure access controls to filter out attributes, not based on the type of connection made to the server, but based on who is accessing the data. The filter-changes-by-user property will be able to evaluate if that person should have access to these attributes.