set reg-user Command -- Configure Registered User Access Level Rights

This command grants specified access rights at the registered user access level, to specified users, over a specified scope.
cad
This command grants specified access rights at the registered user access level, to specified users, over a specified scope.
Access rights granted at this access level can be taken away by access control rules defined at the protected items access level.
Access control rules are effective only if you enable access controls.
This command has the following format:
set reg-user [tag] = { users scope [attrs = attribute-list] [auth-level = simple | ssl-auth] [perms = permission-list] [validity = [start hhmm end hhmm] [on day]] };
  • tag
    (Optional) Defines a name for this rule.
  • users
    Defines the users that this rule applies to, where
    users
    is one of the following:
    • user =
      DN
      Defines the user that this rule applies to.
    • role =
      DN
      Defines the role that this rule applies to.
    • group =
      group-name
      Defines the access control group that this rule applies to. Use of access control groups is deprecated, so use of this option is also deprecated.
    • user-subtree =
      DN
      Defines the top of the subtree of users that this rule applies to.
    • own-entry
      Specifies that the users defined in
      scope
      have access to their own entries only.
    • own-subtree
      Specifies that the users defined in
      scope
      have access to their own entries and any entries below their own entry.
  • scope
    Defines the area of the DIT that this rule gives access to, where
    scope
    is one of the following:
    • entry =
      DN
      Specifies the entry that this rule grants access to.
    • subtree =
      DN
      Specifies the subtree that this rule grants access to.
  • attrs =
    attribute-list
    (Optional) Defines the attributes or attribute set to which this rule applies, where
    attribute-list
    is a comma-separated list of attribute names.
    If
    attrs
    is not specified, then the access rule applies to the whole entry.
    add
    and
    remove
    permissions require that
    attrs
    is not specified.
  • perms =
    permission-list
    (Optional) Specifies the permissions (access rights) that this rule grants to the
    users
    for the
    scope
    .
    If
    perms
    is not specified, then read access permission is granted.
    permission-list
    is a comma-separated list of one or more of the following:
    • all
      Grants users all permissions over the scope.
    • read
      Grants users permission to read the information defined in the scope.
    • add
      Grants users permission to add to the information defined in the scope. This also grants read permission.
    • remove
      Grants users permission to delete entries defined in the scope. This also grants read permission.
    • modify
      Grants users permission to change information defined in the scope. This also grants read permission.
    • rename
      Grants users permission to rename the entries defined in the scope. This also grants read permission.
  • auth-level = simple | ssl-auth
    (Optional) Specifies the level of authentication required. If you use this option, use one of the following:
    • simple
      Specifies that this rule only applies to users who bind using simple authentication (username and password).
    • ssl-auth
      Specifies that this rule only applies to users who bind using SSL authentication.
  • validity = [start
    hhmm
    end
    hhmm
    ] [on
    day
    ]
    (Optional) Defines the period during which this rule is valid. Use any of the following:
    • start
      hhmm
      end
      hhmm
      Defines the start and end of the period during which this rule is valid.
    • on
      day
      Defines the day on which this rule is valid, where
      day
      is a string like 12345 or 67 (1 is Monday).
Example: Give Read Access to All Users in a Subtree
In the following example, all the users in the R&D subtree can read the Democorp subtree:
set reg-user R&D-Users"= { user-subtree = <c AU"><o Democorp"><ou R&D"> subtree = <c AU"><o Democorp"> };
Example: Give Read Access to an Entry
In the following example, all users in the group staff have read privileges on the Democorp entry:
set reg-user democorp-staff" = { group = staff" entry = <c AU"><o Democorp"> };
Example: Let All Users Read Some Attributes in Their Own Entry
The following example lets any user in the subtree AU/Democorp view only the selected attributes in their entry:
set reg-user = { own-entry subtree = <c AU"><o Democorp"> attrs = telephoneNumber, commonName, surname, title, mhsORAddresses, odEmail };
Example: Let All Users Read and Modify Some Attributes
In this example, all Democorp users can browse all entries in the subtree Democorp; however, when they read or search for an entry in the subtree, only those attributes that you declare are visible.
The users also have modify privileges on the listed attributes for all entries in the subtree:
set reg-user self-view" = { user-subtree = <c AU><o Democorp> subtree = <c AU"><o Democorp"> attrs = telephoneNumber, commonName, surname, title, mhsORAddresses, dcEmail perms = modify };