This keyword allows you to set up an ACI that grants or denies permissions on an attribute value if that value meets the filter criteria. The targattrfilters keyword applies to individual values of an attribute, not to the whole attribute. The keyword also allows the use of wildcards in the filters.

The keyword clause has the following format.

(target = "add=attr1:Filter1 && attr2:Filter2... && attrn:FilterN,
del=attr1:Filter1 && attr2:Filter2 ... && attrN:FilterN" )

Where:

add
Represents the operation of adding an attribute value to the entry.
del
Represents the operation of removing an attribute value from the entry.
<attr1>, <attr2><attrN>
Represents the targeted attributes.
<filter1>, <filter2><filterN>
Represents filters that identify matching attribute values.

The following conditions determine when the attribute must satisfy the filter:

  • When adding or deleting an entry containing an attribute targeted a targattrfilters element, each value of that attribute must satisfy the corresponding filter.
  • When modifying an entry, if the operation adds one or more values for an attribute targeted by a targattrfilters element, each value must satisfy the corresponding filter. If the operation deletes one or more values for a targeted attribute, each value must satisfy the corresponding filter.
  • When replacing the set of values for an attribute targeted by a targattrfilters element, each value removed must satisfy the delete filters and each value added must satisfy the add filters.

The following example allows any user who is part of the cn=directory server admins group to add the soft-delete-read privilege.

aci:(targattrfilter="add=ds-privilege-name:(ds-privilege-name=soft-delete-read)")
  (version 3.0; acl "Allow members of the the directory server admins group to grant the
   soft-delete-read privilege"; allow (write) 
   groupdn="ldap:///cn=PingDirectory Server admins,ou=group,dc=example,dc=com";)