The targattrfilters keyword is used in ACIs to target specific attribute values by using LDAP filters. By using the targattrfilters keyword, you can grant or deny permissions on an attribute if that attribute's value meets the criteria defined in the ACI. An ACI that grants or denies access based on an attribute's value, is called a value-based ACI. The targattrfilters keyword uses this syntax:
(targattrfilters="add=attr1:F1 && attr2:F2... && attrn:Fn, \ del=attr1:F1 && attr2:F2 ... && attrn:Fn")
represents the operation of creating an attribute.
represents the operation of deleting an attribute.
represents the target attributes.
represents filters that apply only to the associated attribute.
The following conditions must be met when filters apply to entries, and those entries are created, deleted or modified:
When an entry is created or deleted, each instance of that attribute must satisfy the filter.
When an entry is modified, if the operation adds an attribute, then the add filter that applies to that attribute must be satisfied; if the operation deletes an attribute, then the delete filter that applies to that attribute must be satisfied.
If individual values of an attribute already present in the entry are replaced, then the add and delete filters must be satisfied.
The following ACI allows users to add any role to their own entry, except the superAdmin role. It also allows users to add a telephone number with a 123 prefix.
(targattrfilters="add=nsroleDN:(!(nsRoleDN=cn=superAdmin)) \ && telephoneNumber:(telephoneNumber=123*)")