Some organizations allow employees to create entries in the tree to increase employees' efficiency and to encourage employees to contribute to the corporate dynamics. At Example.com, for example, the social committee is organized into various clubs, such as tennis, swimming, skiing, and role-playing.
Any Example.com employee can create a group entry that represents a new club, as shown in ACI “Create Group”.
Any Example.com employee can become a member of one of these groups, as shown in Allowing Users to Add or Remove Themselves From a Group.
Only the group owner can modify or delete a group entry, as shown in ACI “Delete Group”.
In LDIF, to grant Example.com employees the right to create a group entry under the ou=Social Committee branch, you would write the following statement:
aci: (targetattr="*") (targattrfilters="add=objectClass: (|(objectClass=groupOfNames)(objectClass=top))") (version 3.0; acl "Create Group"; allow (read,search,add) userdn= "ldap:///uid=*,ou=People,dc=example,dc=com") and dns="*.Example.com";)
This example assumes that the ACI is added to the ou=Social Committee,dc=example,dc=com entry.
This ACI does not grant write permission, which means that the entry creator cannot modify the entry.
Because the server adds the value top behind the scenes, you need to specify objectClass=top in the targattrfilters keyword.
This ACI restricts the client machine to be in the example.comdomain.
In LDIF, to grant Example.com employees the right to modify or delete a group entry of the group to which they belong under the ou=Social Committee branch, you would write the following statement:
aci: (targetattr = "*") (targattrfilters="del=objectClass: (objectClass=groupOfNames)") (version 3.0; acl "Delete Group"; allow (write,delete) userattr="owner#GROUPDN";)
This example assumes that the aci is added to the ou=Social Committee,dc=example,dc=com entry.
Note that to use DSCC to create this ACI is not very effective because you have to use manual editing mode to create the target filter and to check group ownership.