Example Access Control Policy

The directory architect has created the following plain-English access control policy:

DSA administrators have all privileges.
Authenticated users (that is, all users except public users) can update their own entries.
PABX operators can update all telephone numbers.
Public (anonymous) users can view, but not change, the name, email address, and telephone number of any staff member, and can also view, but not change, anything in the public subtree.
Passwords must be invisible to everyone except DSA administrators.