OpenDJ: Permissions to update all attributes

OpenDJ Community LogoAccess control instructions are described in the Admin Guide chapter on privileges and ACIs. There are also a few examples in the section on configuring access control.

Two particular aspects of ACIs are worth looking at closely.

  1. If you want a user to be able to update all attributes, even operational attributes, then you can so something like targetattr = "* || +", where the +stands for all operational attributes.
    This was brought home to me by the discussion today on the OpenDJ list about updating ds-pwp-password-policy-dn, which is operational.
  2. If you want an administrator to be able to perform all operations, including proxy auth, import, and export operations as well as standard directory operations, then you can use allow(all, proxy, import, export).

A footnote to all this, which Ludo explained to me this morning: ds-pwp-password-policy-dn, the operational attribute that you set to assign a user a password policy, was created to allow the pwdPolicySubentry to remain untouched. If you apply changes directly to pwdPolicySubentry, then if you see the value cn=Default Password Policy,cn=Password Policies,cn=config, you have no way of knowing whether it was set by the administrator or the server. With ds-pwp-password-policy-dn, who set the value stays explicit.