Managing Directory Access Control 29-23 browse,add,delete by browse Setting Up an Inheritable ACP by Using ldapmodify This example sets up subtree access permissions in an orclACI at the root DSE by using an LDIF file named my_ldif_file. Because this example refers to the orclACI attribute, this access directive governs all the entries in the DIT. ldapmodify -v -h myhost -D cn=Directory Manager, o=IMC, c=US -q -f my_ldif_file The LDIF file, my_ldif_file, contains the following: dn: changetype: modify replace: orclaci orclaci: access to entry by dn=cn=directory manager, o=IMC, c=us browse, add, delete by browse, noadd, nodelete orclaci: access to attr= by dn=cn=directory manager, o=IMC, c=us search, read, write, compare by self search, read, write, compare by search, read, nowrite, nocompare Setting Up Entry-Level ACIs by Using ldapmodify This example sets up entry-level access permissions in the orclEntryLevelACI attribute by using an LDIF file named my_ldif_file. Because this example refers to the orclentrylevelACI attribute, this access directive governs only the entry in which it resides. ldapmodify -v -h myhost -D cn=Directory Manager, o=IMC, c=US -q -f my_ldif_file The LDIF file, my_ldif_file, contains the following: dn: changetype: modify replace: orclentrylevelaci orclentrylevelaci: access to entry by dn=cn=directory manager, o=IMC, c=us browse, add, delete by browse, noadd, nodelete orclentrylevelaci: access to attr= by dn=cn=directory manager, o=IMC, c=us search, read, write, compare by search, read, nowrite, nocompare Using Wildcards in an LDIF File with ldapmodify This example shows the use of wildcards in the object and subject specifiers. For all entries within the example.com domain, it grants to everyone browse permission on all entries, and read and search permissions on all attributes. ldapmodify -v -h myhost -D cn=Directory Manager, o=IMC, c=US -q -f my_ldif_file In the ACP at dc=com, the orclACI attribute is specified as follows: access to entry by browse access to attr= by search, read Note: In this example, no DN value is specified. This means that this ACI pertains to the root DSE and its attributes only.