Designing Access ControlChapter 7 Designing a Secure Directory 135The ACI variables are defined below:• targetSpecifies the entry (usually a subtree) the ACI targets, the attribute it targets, orboth. The target identifies the directory element that the ACI applies to. An ACIcan target only one entry, but it can target multiple attributes. In addition, thetarget can contain an LDAP search filter. This allows you to set permissions forwidely scattered entries that contain common attribute values.• permissionIdentifies the actual permission being set by this ACI. The permission says thatthe ACI is allowing or denying a specific type of directory access, such as reador search, to the specified target.• bind_ruleIdentifies the bind DN or network location to which the permission applies.The bind rule may also specify an LDAP filter, and if that filter is evaluated tobe true for the binding client application, then the ACI applies to the clientapplication.So, ACIs are expressed as follows:“For the directory object target, allow or deny permission if thebind_rule is true.”permission and bind_rule are set as a pair, and you can have multiple permissionbind_rule pairs for every target. This allows you to efficiently set multiple accesscontrols for any given target. For example:target(permission bind_rule)(permission bind_rule)...For example, you can set a permission that allows anyone binding as Babs Jensen towrite to Babs Jensen’s telephone number. The bind rule in this permission is thepart that states “if you bind as Babs Jensen.” The target is Babs Jensen’s phonenumber, and the permission is write access.TargetsYou must decide what entry is targeted by every ACI you create in your directory.If you target a directory entry that is a directory branch point, then that branchpoint, as well as all of its child entries, are included in the scope of the permission.If you do not explicitly specify a target entry for the ACI, then the ACI is targetedto the directory entry that contains the ACI statement. Also, the default set ofattributes targeted by the ACI is any attribute available in the targeted entry’sobject class structure.