Administration Guide › Set Up Access Controls › Access Levels › Protected Items › Example: Let a User Modify All Attributes in Their Own Entry Except "role"

Example: Let a User Modify All Attributes in Their Own Entry Except "role"

In this example, the set reg-user rule gives the user modification rights to all attributes in their own entry, and the protected-items rule takes away modification rights for just the role attribute. The result is that users can modify all attributes in their own entries except "role", which they can read.

set reg-user = {
 own-entry
 subtree	= <o Democorp>
 perms	= modify
};

set protected-items = {
 own-entry
 subtree	= <o DemoCorp>
 attrs	= role
 perms	= modify
};

Without the perms = modify in the set protected-items rule, the user would be denied all access to the role attribute (including read access).