Sun Java System Directory Server Enterprise Edition 6.1 Reference

targetattrfilters Keyword

The targetattrfilters keyword is used in ACIs to target specific attribute values by using LDAP filters. By using the targetattrfilters keyword, you can grant or deny permissions on an attribute if that attribute's value meets the criteria defined in the ACI. An ACI that grants or denies access based on an attribute's value, is called a value-based ACI. The targetattrfilters keyword uses this syntax:

(targettrfilters="Op=attr1:F1 [(&& attr2:F2)*][;Op=attr:F [(&& attr:F)*]")

The targetattrfilters keyword can have the following values:


An add or delete operation


To create an attribute


To delete an attribute


The target attributes


Filters that apply to the associated attribute

The following conditions must be met when filters apply to entries, and those entries are created, deleted or modified:

Example 2–2 Using the targetattrfilters Keyword to Allow Users to Add Roles to Their Own Entries

The following ACI allows users to add any role to their own entry, except the superAdmin role. It also allows users to add a telephone number with a 123 prefix.

 && telephoneNumber:(telephoneNumber=123*)")

Example 2–3 Using the targetattrfilters Keyword to Allow Group Members to Modify Specific Attributes

The following example allows members of the Engineering Admins group to modify the departmentNumber and manager attributes of all entries in the Engineering business category. This example filters entries with the businessCategory attributes set to Engineering:

dn: dc=example,dc=com
objectClass: top
objectClass: organization
aci: (targetattr="departmentNumber || manager")
  (version 3.0; acl "eng-admins-write"; allow (write)
  groupdn ="ldap:///cn=Engineering Admins, dc=example,dc=com";)