Access Control Usage Examples242 Netscape Directory Server Administrator’s Guide • August 2002c. Click the Add button to list Self in the list of users who are granted accesspermission.d. Click OK to dismiss the Add Users and Groups dialog box.4. On the Rights tab, tick the checkbox for write. Make sure the other checkboxesare clear.5. On the Hosts tab, click Add to display the Add Host Filter dialog box. In theDNS host filter field, type *.example.com. Click OK to dismiss the dialog box.6. To create the value-based filter for roles, switch to manual editing by clickingthe Edit Manually button. Add the following to the beginning of the LDIFstatement:(targattrfilters="add=nsRoleDN:(nsRoleDN != "cn=superAdmin,dc=example,dc=com")")The LDIF statement should read as follows:(targattrfilters="add=nsRoleDN:(nsRoleDN != "cn=superAdmin,dc=example,dc=com")") (targetattr = “*”) (target ="ldap:///dc=example,dc=com") (version 3.0; acl "Roles"; allow(write) (userdn = "ldap:///self") and (dns="*.example.com");)7. Click OK.The new ACI is added to the ones listed in the Access Control Managerwindow.Granting a Group Full Access to a SuffixMost directories have a group that is used to identify certain corporate functions.These groups can be given full access to all or part of the directory. By applying theaccess rights to the group, you can avoid setting the access rights for each memberindividually. Instead, you grant users these access rights simply by adding them tothe group.For example, when you install the Directory Server using the Typical Installprocess, an Administrators group with full access to the directory is created bydefault.At example.com, the Human Resources group is allowed full access to theou=example-people branch of the directory so that they can update the employeedatabase. This is illustrated in the ACI “HR” example.ACI “HR”In LDIF, to grant the HR group all rights on the employee branch of the directory,you would use the following statement: