In this example, the set reg-user rule gives the user modification rights to all attributes in their own entry, and the protected-items rule takes away modification rights for just the role attribute. The result is that users can modify all attributes in their own entries except "role", which they can read.
set reg-user = { own-entry subtree = <o Democorp> perms = modify };
set protected-items = { own-entry subtree = <o DemoCorp> attrs = role perms = modify };
Without the perms = modify in the set protected-items rule, the user would be denied all access to the role attribute (including read access).
Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |