Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition

Granting Access to a Certain Level

You can set the scope of an ACI to affect different levels within your directory tree, to fine-tune the level of access you want to allow. The target ACI scope can be set to one of the following:


The entry itself


The entry itself and all entries one level below


The entry itself and all entries beneath that entry, to an unlimited depth

ACI “Read only”

In LDIF, to grant subscribers the right to read the entry dc=example,dc=com for company contact information, but not allow access to any entries below it, you would write the following statement:

aci: (targetscope="base") (targetattr="*")(version 3.0;
 acl "Read only";  allow (read,search,compare)

This example assumes that the ACI is added to the dc=example, dc=com entry.