Substitution Syntax in Search Base and Attribute Access Control


Dave Bennett 23/03/2006

Have you ever got confused when using substitution syntax in COREid search base and attribute access control settings?

They natural thing to get backwards since they are backwards (from each other that is). Question is, which one is which? Does the logged in user go in the left hand side ot the right hand side? Does the substitution go in the left or right? Well, that one at least is easy; the substitution attribute $attributename$ always goes on the left, errr, I mean right. I just can never remember which one it belongs to: logged in user or objects being searched/viewed/edited/notified?

Well, this is how it works:

Search Base gets set up so that the logged in user’s information goes on the right side of the equation, the substitution side. For instance, the substitution might look like this…

This basiccally says that the search is restricted to all of the objects that have an org that is the same as $myorg$, where $myorg$ is an attribute in my profile and org is an attribute on another object.

Well, is that is how search base works then AAC must be the opposite.

Attribute Access Control gets set up so that the logged in user’s information goes on the left side of the equation, the non-substitution side. For instance, the substitution might look like this for a rule that allows a manager permission to a particular attribute and right…

This essentially says give me (distinguishedname – MS centric example) permission to do this (right) for this attribute where I am the manager. Although I do not know why you would do this explicit thing since COREid already supplies a role for DN based attributes (like manager) that accomplishes the same thing.

No Results