A target expression has three components:

Keyword
The keyword specifies the type of target element.
Expression
The expression specifies the items that are targeted by the access control rule.
Operator
The operator is either equal, =, or not-equal, !=.
Note:

You cannot use the != operator with the targattrfilters and targetscope keywords.

For specific examples of each target keyword, see Working with targets.


            (keyword [=||!=]expression)
         

You can use the following keywords in the target portion of ACIs:

Summary of Access Control Target Keywords
Target Keyword Description Wildcards
extop

Specifies the OIDs for any extended operations to which the access control rule should apply.

No

requestcriteria

Determines whether an access control rule applies to an operation based on whether that operation matches a given request criteria definition.

If present in an access control rule, the operator must be either "=" or "!=". The value must be enclosed in quotation marks and it must be the name or full DN of the configuration object that defines the desired request criteria.

For example, let’s say that you want to allow members of the cn=Sales Administrators,ou=Groups,dc=example,dc=com group to be able to read from and write to the entries for the users that are members of the cn=Sales Employees,ou=Groups,dc=example,dc=com group. To do this, you must first create a request criteria object that will match entries for users in the cn=Sales Employees,ou=Groups,dc=example,dc=com group. You can do this with the following configuration change:

dsconfig create-request-criteria \
     --criteria-name "Requests Targeting Sales Employees" \
     --type simple \
     --set "any-included-target-entry-group-dn:cn=Sales Employees,ou=Groups,dc=example,dc=com"

With that request criteria defined, you can use a modification like the following to create the corresponding access control rule:

dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="*")(requestcriteria="Requests Targeting Sales
  Employees")(version 3.0; acl "Allow sales administrators to manage
  sales employees"; allow (read,search,compare,write)
  groupdn="ldap:///cn=Sales Administrators,ou=Groups,dc=example,dc=com";)
target

Specifies the set of entries, identified using LDAP URLs, to which the access control rule applies.

Yes

targattrfilters

Identifies specific attribute values based on filters that can be added to or removed from entries to which the access control rule applies.

Yes

targetattr

Specifies the set of attributes to which the access control rule should apply.

Yes

targetcontrol

Specifies the OIDs for any request controls to which the access control rule should apply.

No

targetfilter

Specifies one or more search filters that can be used to indicate the set of entries to which the access control should apply.

Yes

targetscope

Specifies the scope of entries, relative to the defined target entries or the entry containing the ACI if there is no target, to which the access control rule should apply.

No