Work in progress
This site is in the process of being reviewed and updated.
{
identificationTag "allowSelfAccessAndModification",
precedence 14,
authenticationLevel none,
itemOrUserFirst userFirst:
{
userClasses { thisEntry },
userPermissions
{
{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse, grantRead } },
{ protectedItems {allAttributeValues {userPassword}}, grantsAndDenials { grantAdd, grantRemove } }
}
}
}
Commentary
Note that two different user permissions are used to accurately specify self access and self modification of the userPassword attribute within the entry. So with the first userPermission of this ACI a user would be able to read all attributes and values within his/her entry. They also have the ability to modify the entry but this is moot since they cannot add, remove or replace any attributes within their entry. The second user permission completes the picture by granting add and remove permissions to all values of userPassword. This means the user can replace the password.
"grantAdd + grantRemove = grantReplace"
Modify operations either add, remove or replace attributes and their values in LDAP. X.500 seems to have overlooked the replace capability. Hence there is no such thing as a grantReplace permission. However grantAdd and grantDelete on an attribute and its values are both required for a replace operation to take place.