Red Hat Directory Server 8.0 Administrator's Guide
This example assumes that you have added the connectionTime and accountBalance
attributes to the schema.
6. Click OK.
The new ACI is added to the ones listed in the Access Control Manager window.
9.7.2. ACI "Billing Info Deny"
In LDIF, to deny subscribers permission to modify billing information in their own entry, write the
following statement:
aci: (targetattr="connectionTime || accountBalance") (version
3.0; acl "Billing Info Deny"; deny (write) userdn="ldap:///self";)
This example assumes that the relevant attributes have been created in the schema and that
the ACI is added to the ou=subscribers,dc=example,dc=com entry.
From the Console, set this permission by doing the following:
1. In the Directory tab, right-click the Subscribers entry under the example.com node in the
left navigation tree, and choose Set Access Permissions from the pop-up menu to display
the Access Control Manager.
2. Click New to display the Access Control Editor.
3. In the Users/Groups tab, in the ACI name field, type Billing Info Deny. In the list of
users granted access permission, do the following:
a. Select and remove All Users, then click Add.
The Add Users and Groups dialog box opens.
b. Set the Search area in the Add Users and Groups dialog box to Special Rights, and
select Self from the search results list.
c. Click the Add button to list Self in the list of users who are granted access permission.
d. Click OK to dismiss the Add Users and Groups dialog box.
4. In the Rights tab, select the checkbox for write. Make sure the other checkboxes are clear.
5. Click the Edit Manually button, and, in the LDIF statement that opens, change the word
allow to deny.
6. In the Targets tab, click This Entry to display the ou=subscribers, dc=example,dc=com
suffix in the Target directory entry field. In the attribute table, select the checkboxes for the
connectionTime and accountBalance attributes.
Denying Access
231