5.1.2. ACI Permissions

ACI permission definitions take one of the following forms.

allow(action[, action …])
deny(action[, action …])
[Tip] Tip

Although deny is supported, avoid restricting permissions by using deny. Instead, explicitly allow access only where needed. What looks harmless and simple in your lab examples can grow difficult to maintain in a real-world deployment with nested ACIs.

Replace action with one of the following.

add

Entry creation, as for an LDAP add operation

all

All permissions, except export, import, proxy

compare

Attribute value comparison, as for an LDAP compare operation

delete

Entry deletion, as for an LDAP delete operation

export

Entry export during a modify DN operation.

Despite the name, this action is unrelated to LDIF export operations.

import

Entry import during a modify DN operation.

Despite the name, this action is unrelated to LDIF import operations.

proxy

Access the ACI target using the rights of another user

read

Read entries and attributes

search

Search the ACI targets. Needs to be combine with read in order to read the search results.

selfwrite

Add or delete own DN from a group

write

Modify attributes on ACI target entries