Figure 6-1 Using Inheritance With The Userattr Keyword - Netscape DIRECTORY SERVER 6.1 - ADMINISTRATOR Administrator's Manual

Bind Rules
For example,
userattr = "parent[0,1].manager#USERDN"
This bind rule is evaluated to be true if the bindDN matches the manager attribute
of the targeted entry. The permissions granted when the bind rule is evaluated to
be true apply to the target entry and to all entries immediately below it.
Example With userattr Inheritance
The example in Figure 6-1 indicates that user
search the
includes
and news IDs.
Figure 6-1 Using Inheritance With the userattr Keyword
In this example, if you did not use inheritance you would have to do one of the
following to achieve the same result:
• Explicitly set read and search access for user
cn=mail
• Add the owner attribute with a value of
entries and then add the following ACI to the
aci: (targetattr="*") (version 3.0; acl "profiles access"; allow
(read,search) userattr="owner#USERDN";)
222 Netscape Directory Server Administrator's Guide • August 2002
entry as well as the first level of child entries which
cn=Profiles
and
cn=mail cn=news
, and entries in the directory.
cn=news
bjensen
, thus allowing her to search through her own mail
bjensen
bjensen
cn=mail
is allowed to read and
on the
cn=Profiles
to the and
cn=mail cn=news
and entries.
cn=news
,