I'm designing new directory for keeping records about our company computers, accounts, etc... I would like to have number of different access levels like support, management, network technician,... Every entry would have multivalued attribute named for example accessclass to determine its access and there would be role for every access level. What is the best way to implement ACIs like "allow access to every entry with attribute accessclass=support for every member of role support"? I've found out that there are 3 options: 1) Create separate ACI for each access class 2) Create Macro ACI using something like roledn = "ldap:///($attr.accessclass),ou=roles,dc=....." But it seems, that this macro expands to accessclass=support,ou=roles,.. and thus my roles would need to be named using accessclass attribute instead of common name... 3) Create ACI using userattr like this: userattr = "accessclass#ROLEDN" but this would require to have complete role RDN in user accessclass attribute. Which way would you suggest? Radek
