Netscape DIRECTORY SERVER 6.02 - ADMINISTRATOR Administrator's Manual page 201

For example, you might grant all users in your organization permission to modify
the attribute in their own entry. However, you would also want to
nsRoleDN
ensure that they do not give themselves certain key roles such as "Top Level
Administrator." LDAP filters are used to check that the conditions on attribute
values are satisfied.
To create a value based ACI, you must use the
following syntax:
(targattrfilters="add=attr1:F1 && attr2:F2... && attrn:Fn,del=attr1:F1 &&
attr2:F2 ... && attrn:Fn")
where:
represents the operation of creating an attribute
add
represents the operation of deleting an attribute
del
attrx represents the target attributes
Fx represents filters that apply only to the associated attribute
When creating an entry, if a filter applies to an attribute in the new entry, then each
instance of that attribute must satisfy the filter. When deleting an entry, if a filter
applies to an attribute in the entry, then each instance of that attribute must also
satisfy the filter.
When modifying an entry, if the operation adds an attribute, then the add filter that
applies to that attribute must be satisfied; if the operation deletes an attribute, then
the delete filter that applies to that attribute must be satisfied. If individual values
of an attribute already present in the entry are replaced, then both the add and
delete filters must be satisfied.
For example consider the following attribute filter:
(targattrfilters="add=nsroleDN:(!(nsRoleDN=cn=superAdmin)) &&
telephoneNumber:(telephoneNumber=123*))
This filter can be used to allow users to add any role (
own entry, except the
number with a 123 prefix.
NOTE You cannot create value-based ACIs from the Server Console.
role. It also allows users to add a telephone
superAdmin
Creating ACIs Manually
keyword with the
targattrfilters
attribute) to their
nsRoleDN
Chapter 6 Managing Access Control 201