DS 5.2 targetfilter with add permission - ACI eval
When you have a ACI with targetfilter and grants add to a user , is the targetfilter is evalualted with respect to the new entry being created ?
for example
(targetattr = "*") (target = "ldap:///ou=books,o=test") (targetfilter = (objectclass=classicbooks)) (version 3.0;acl "addtf";allow (read,compare,search,write,delete,add)(userdn = "ldap:///uid=tbook,o=test");)
The examples in the documentation [targetfilter] all show read,search,compare and leads to think that the entries must exist for the targetfilter to evaluate
Thanks
[562 byte] By [
luvcryptoa] at [2007-11-27 8:46:41]
# 1
Hi
Read ACI Placement" at "http://docs.sun.com/source/817-7613/aci.html
You can create an ACI on an entry that does not apply directly to that entry but to some or all of the entries in the subtree below it. So when you create the subentry the ACI will apply if it matches. If you do not specify a target the ACI applies to the entry where the ACI is put.
Or did I missunderstand the question?
Regards
/Per-Olov
peo_sa at 2007-7-12 20:49:47 >
# 2
This appears to me as being the correct answer.Note that Directory Server 6.0 introduced a TargetScope element in ACI that allows to specify Base, OneLevel or Subtree and reduce the scope of an ACI from its default (subtree).Regards,Ludovic.
# 4
When you set an ACI in an existing entry, with a targetfilter down the tree, the targeted entry may or may not exists. When adding an entry, the targetfilter will be evaluated as well to see if you have permissions to write that entry and its attributes.Regards,Ludovic.
