29-24 Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory Note that, in order to enable reading the attributes, you must grant permission to browse the entries. Selecting Entries by DN This example shows the use of a regular expression to select the entries by DN in two access directives. It grants to everyone read-only access to the address book attributes under dc=example,dc=com access. ldapmodify -v -h myhost -D cn=Directory Manager, o=IMC, c=US -q -f my_ldif_file The orclACI attribute of dc=example,dc=com is specified as follows: access to entry by browse access to attr=cn, telephone, email by search, read The orclACI attribute of dc=us, dc=example,dc=com is specified as follows: access to entry by browse access to attr= by dn=.,dc=us,dc=example,dc=com search, read Using Attribute and Subject Selectors This example shows the use of an attribute selector to grant access to a specific attribute, and various subject selectors. The example applies to entries in the dc=us,dc=example,dc=com subtree. The policy enforced by this ACI can be described as follows: ■ For all entries within the subtree, the administrator has add, delete, and browse permissions. Others within the dc=us subtree can browse, but those outside it have no access to the subtree. ■ The salary attribute can be modified by your manager and viewed by yourself. No one else has access to the salary attribute. ■ The userPassword attribute can be viewed and modified by yourself and the administrator. Others can only compare this attribute. ■ The homePhone attribute can be read and written by yourself and viewed by anyone else. ■ For all other attributes, only the administrator can modify values. Everyone else can compare, search, read, but cannot update attribute values. ldapmodify -v -h myhost -D cn=Directory Manager, o=IMC, c=US -q -f my_ldif_file The orclACI attribute of dc=us,dc=example,dc=com is specified as follows: access to entry by dn=cn=admin, dc=us,dc=example,dc=com browse, add, delete by dn=., dc=us,dc=example,dc=com browse by none access to attr=salary by dnattr=manager read, write by self read by none access to attr=userPassword by self search, read, write