Red Hat Directory Server 8.0 Administrator's Guide
userattr = "parent[0,1].manager#USERDN"
This bind rule is evaluated to be true if the bind DN matches the manager attribute of the
targeted entry. The permissions granted when the bind rule is evaluated to be true apply to the
target entry and to all entries immediately below it.
The example in Figure 6.1, “Using Inheritance With the userattr Keyword” indicates that user
bjensen is allowed to read and search the cn=Profiles entry as well as the first level of child
entries which includes cn=mail and cn=news, thus allowing her to search through her own mail
and news IDs.
Figure 6.1. Using Inheritance With the userattr Keyword
In this example, if you did not use inheritance, you would have to do one of the following to
achieve the same result:
• Explicitly set read and search access for user bjensen on the cn=Profiles, cn=mail, and
cn=news entries in the directory.
• Add the owner attribute with a value of bjensen to the cn=mail and cn=news entries, and
then add the following ACI to the cn=mail and cn=news entries.
aci: (targetattr="*") (version 3.0; acl "profiles access"; allow
(read,search)
userattr="owner#USERDN";)
4.5.1.7. Granting Add Permission Using the userattr Keyword
Using the userattr keyword in conjunction with all or add permissions does not behave as
one would typically expect. Typically, when a new entry is created in the directory, Directory
Server evaluates access rights on the entry being created and not on the parent entry.
However, in the case of ACIs using the userattr keyword, this behavior could create a security
Defining Access Based on Value Matching
195