|2. The Directory Server Access Control Model > Compatibility With the Sun Java System Directory Server Access Control Model|
Global ACI configuration differs from Sun Java System Directory Server, Version 6, global ACI implementation in two ways:
The ds-config-global-aci attribute specifies a global ACI in the cn=Access Control Handler,cn=config entry (see Access Control Principles) rather than placing the ACI in the root DSE entry as in Sun Java System Directory Server, Version 6.
The scope of the global ACI can be narrowed by specifying a target keyword in the ACI. For example, the following global ACI restricts anonymous read access to entries under the suffix dc=example,dc=com:
ds-cfg-global-aci: (target="dc=example,dc=com") (targetattr!="userPassword||authPassword") (version 3.0; acl "Anonymous read access only under dc=example,dc=com suffix"; allow (read,search,compare) userdn="ldap:///anyone";)
Removing the (target="dc=example,dc=com") expression would make the ACI global to all entries in the directory server.
Global ACIs are not supported in Sun Java System Directory Server versions earlier than Version 6.