ACI filter on Custom Attribute

Tagged: 

This topic has 1 reply, 2 voices, and was last updated 2 months, 2 weeks ago by Ludo.

  • Author
    Posts
  • #27374
     Giddion
    Participant

    In our custom Schema, we have an attribute confidentialFlag that has a value of Y or N.
    We want to create an ACI so that anon users can not read the user record if this attribute has a value of Y. I’ve read through the ACI documentation and I’m thinking it might be possible with the use of (targetfilter [!]= “ldap-filter”) but I haven’t found any examples that I can work from.

    Is there anyone that can point me in the right direction?

    #27379
     Ludo
    Moderator

    I would think that the following ACI would work:

    (targetFilter = "(confidentialFlag!=Y)")(version 3.0;acl "Search and read non confidential"; allow (search, read) (userdn = "ldap:///anyone");)

    Note that you probably want to restrict which attributes can be read as well with a targetAttr section as well.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?