Red Hat Directory Server 8.0 Administrator's Guide

All other checkboxes should be clear; if it is easier, click the Check None button to clear the

checkboxes for all attributes in the table, then click the Name header to organize them

alphabetically, and select the appropriate ones.

This example assumes that the connectionTime and accountBalance attributes were

added to the schema.

7. Click OK.

The new ACI is added to the ones listed in the Access Control Manager window.

9.8. Setting a Target Using Filtering

To set access controls that allow access to a number of entries that are spread across the

directory, consider using a filter to set the target.

NOTE

Because search filters do not directly name the object for which you are

managing access, it is easy to allow or deny access to the wrong objects

unintentionally, especially as your directory becomes more complex. Additionally,

filters can make it difficult to troubleshoot access control problems within your

directory.

For example, the following ACI grants user bjensen write access to the department number,

home phone number, home postal address, and manager attributes for all members of the

accounting organization.

aci: (targetattr="departmentNumber || homePhone || homePostalAddress ||

manager")

(targetfilter="(uid=bjensen)") (version 3.0; acl "Filtered ACL"; allow

(write)

userdn ="ldap:///cn=*,ou=accounting, dc=example,dc=com";)

Before you can set these permissions, you must create the accounting branch point

ou=accounting,dc=example,dc=com). You can create organizational unit branch points in the

Directory tab on the Directory Server Console.

9.9. Allowing Users to Add or Remove Themselves from a

Group

Many directories set ACIs that allow users to add or remove themselves from groups. This is

useful, for example, for allowing users to add and remove themselves from mailing lists.

Chapter 6. Managing Access Control

232