Creating ACIs ManuallyChapter 6 Managing Access Control 199For example, you might grant all users in your organization permission to modifythe nsRoleDN attribute in their own entry. However, you would also want toensure that they do not give themselves certain key roles such as “Top LevelAdministrator.” LDAP filters are used to check that the conditions on attributevalues are satisfied.To create a value based ACI, you must use the targattrfilters keyword with thefollowing syntax:(targattrfilters=”add=attr1:F1 && attr2:F2... && attrn:Fn,del=attr1:F1 &&attr2:F2 ... && attrn:Fn”)where:m add represents the operation of creating an attributem del represents the operation of deleting an attributem attrx represents the target attributesm Fx represents filters that apply only to the associated attributeWhen creating an entry, if a filter applies to an attribute in the new entry, then eachinstance of that attribute must satisfy the filter. When deleting an entry, if a filterapplies to an attribute in the entry, then each instance of that attribute must alsosatisfy the filter.When modifying an entry, if the operation adds an attribute, then the add filter thatapplies to that attribute must be satisfied; if the operation deletes an attribute, thenthe delete filter that applies to that attribute must be satisfied. If individual valuesof an attribute already present in the entry are replaced, then both the add anddelete filters must be satisfied.For example consider the following attribute filter:(targattrfilters=”add=nsroleDN:(!(nsRoleDN=cn=superAdmin)) &&telephoneNumber:(telephoneNumber=123*))This filter can be used to allow users to add any role (nsRoleDN attribute) to theirown entry, except the superAdmin role. It also allows users to add a telephonenumber with a 123 prefix.Targeting a Single Directory EntryTargeting a single directory entry is not straightforward because it goes against thedesign philosophy of the access control mechanism. However, it can be done:NOTE You cannot create value-based ACIs from the Server Console.