ACI filter on Custom Attribute


This topic has 1 reply, 2 voices, and was last updated 1 year ago by Ludo.

  • Author
  • #27374

    In our custom Schema, we have an attribute confidentialFlag that has a value of Y or N.
    We want to create an ACI so that anon users can not read the user record if this attribute has a value of Y. I’ve read through the ACI documentation and I’m thinking it might be possible with the use of (targetfilter [!]= “ldap-filter”) but I haven’t found any examples that I can work from.

    Is there anyone that can point me in the right direction?


    I would think that the following ACI would work:

    (targetFilter = "(confidentialFlag!=Y)")(version 3.0;acl "Search and read non confidential"; allow (search, read) (userdn = "ldap:///anyone");)

    Note that you probably want to restrict which attributes can be read as well with a targetAttr section as well.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?