[Date Prev][Date Next]
ACL assistance needed
I am looking for a way to write an ACL such that a user only has read access
to entries in a subtree that she also has write access to, to unclutter
things. Let me try to explain better.
Under dc=mycompany,dc=com, I have ou=Email Aliases. Subentries of this are
courierMailAliase objects. Most of these are standard mail aliases. However
I would like a few of them to be editable by specific people. To this end,
in one of these such entries, I put a DN in the roleOccupant attribute for
the person who should be able to edit the entry. I wrote the following ACL
to give her write access:
access to dn.children="ou=Email Aliases,dc=mycompany,dc=com"
by dnattr=roleOccupant write
by * none
It works -- it lets the user edit the entry and not edit any other entries
where she is not the roleOccupant. However, I would really like it if the
only entries she could see were the ones that she could write to. Right now
she can view all the aliases, even if she cannot write to them. Is there any
way to accomplish what I am trying to do, without making an ACL for each
specific courierMailAlias in the subtree?