Defining Rules for Entries and Attributes

Access control rules define which users are granted which permission for a given set of entries or attributes. For example, you can give a user read permission for all attributes except password in all entries, and compare permission for password attributes.

You can define the set of entries or attributes to which an access control rule applies by using:

• The symbol * to represent all entries

• A regular expression in a distinguished name (see "Using the DN Editor")

• An LDAP filter (see "Using the Filter Editor")

• The presence of a particular attribute

For example, you could define the following access control rules:

• Users have write access to their own password attribute, but only compare access to the passwords of other users.

• A user whose entry contains the attribute value locality=San Francisco has read access to all other entries that contain the attribute value locality=San Francisco, but cannot read the password attribute value.

The access control rules are applied in sequence, so the order in which they are listed is important. You must state the most specific rules first, with more general rules afterward. "Configuring Access Control" explains how to define an access control rule using the configuration tool, and how to specify the order of rules.