Example: Restrict Searches for All Users Except Administrators

Administration Guide › Manage Operations › Search Profiles › Example: Restrict Searches for All Users Except Administrators

Example: Restrict Searches for All Users Except Administrators

This example describes how to set up search profiles that restricts searches for all users except administrators.

Follow these steps:

Define and assign a default search profile.
This default profile is applied to all users, including anonymous. The search profile allows the users to perform basic and directory-efficient operations.

This search profile allows read access with any filter, directory browsing and complete subtree searches when the filter contains and (&), or (|), and equality (=) items:
```
clear allow-search;
```
```
set allow-search userDefault = {
    (scope = read),
    (scope = browse filter = none),
    (scope = subtree filter = and, or, equality)
};
```
```
set allow-search-default = userDefault;
```
Note: To browse using an LDAP browser (for example JXplorer), set the filter scope to none.
Define a less restrictive search profile for administrative users.
This search profile allows complete access to the users who are assigned to the admin profile through role-based configuration:
```
set allow-search admin =
{
    (scope = all)
};
```
Enable role-based configuration.
Use the following commands:
```
set role-subtree = <c AU><o CA><ou groups>;
set use-roles = true;
```
Note: When you update the role-based configuration, users must rebind for the updated search profile to apply to subsequent search operations.
Apply the admin search profile to the Administrators role.
The following example shows how to add John Smith to the administrators group and to assign this user to the admin search profile.
```
dn: cn=Administrators,ou=groups,o=CA,c=AU
objectClass: groupOfNames
objectClass: dxRoleBasedConfig
member: cn=John Smith,ou=users,c=CA,c=AU
dxAllowSearch: admin
```