Red Hat Directory Server 8.0 Administrator's Guide

default but could be restricted using the targattrfilters keyword.

• Deleting an entry:

• Grant delete permission on the entry to be deleted.

• Grant write permission on the value of each attribute in the entry. This right is granted by

default but could be restricted using the targattrfilters keyword.

• Modifying an attribute in an entry:

• Grant write permission on the attribute type.

• Grant write permission on the value of each attribute type. This right is granted by default

but could be restricted using the targattrfilters keyword.

• Modifying the RDN of an entry:

• Grant write permission on the entry.

• Grant write permission on the attribute type used in the new RDN.

• Grant write permission on the attribute type used in the old RDN, if you want to grant the

right to delete the old RDN.

• Grant write permission on the value of attribute type used in the new RDN. This right is

granted by default but could be restricted using the targattrfilters keyword.

• Comparing the value of an attribute:

• Grant compare permission on the attribute type.

• Searching for entries:

• Grant search permission on each attribute type used in the search filter.

• Grant read permission on attribute types used in the entry.

The permissions granted on individual attributes or entries can affect a broad range of actions;

for example, there are several different permissions users must have to search the directory like

the following ldapsearch operation:

ldapsearch -h host -s base -b "uid=bkolics,dc=example,dc=com" objectclass=*

mail

The following ACI is used to determine whether user bkolics can be granted access:

aci: (targetattr = "mail")(version 3.0; acl "self access to

mail"; allow (read, search) userdn = "ldap:///self";)

Defining Permissions

183