A combination of a value based aci targeting nsroledn: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#997653 And value matching access: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#997653 Gets you there. There are probably other ways to do this too. Using Macro aci's will cut down on the aci admin for this http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#1195760 > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf > Of Gary Mann > Sent: Tuesday, June 14, 2005 2:13 PM > To: fedora-directory-users at redhat.com > Subject: roles and access control > > > a question: we have a requirement where only users that have > a role are able to see role membership. so if i have role A, > i can see the membership for role A (search on > nsRole=<roleA>) but cannot necessarily see role B members, > etc. the same restriction applies when pulling the nsRole attribute. > > is there any way (via aci) to support this? i've implemented > a plugin (actually 2 - a computed attribute and preop) that > supports this but wanted to make sure that i wasn't missing > something in aci setup that would accomplish the same thing. > > Thanks, > Gary > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
