From 0f9797e87b2bf28213968aeb65ec862ce65e92b7 Mon Sep 17 00:00:00 2001
From: Mark Craig <mark.craig@forgerock.com>
Date: Thu, 07 Jul 2011 07:59:04 +0000
Subject: [PATCH] Improve the example ACI, Full Access for Administrators, which currently does not assign permissions to change operational attributes, or do proxy auth, import, or export operations.

---
 opendj-sdk/opendj3/src/main/docbkx/admin-guide/chap-privileges-acis.xml |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

diff --git a/opendj-sdk/opendj3/src/main/docbkx/admin-guide/chap-privileges-acis.xml b/opendj-sdk/opendj3/src/main/docbkx/admin-guide/chap-privileges-acis.xml
index 93cb852..0c0d4ca 100644
--- a/opendj-sdk/opendj3/src/main/docbkx/admin-guide/chap-privileges-acis.xml
+++ b/opendj-sdk/opendj3/src/main/docbkx/admin-guide/chap-privileges-acis.xml
@@ -807,9 +807,15 @@
    <para>Directory Administrators need privileges as well for full access to
    administrative operations.</para>
    <programlisting language="ldif">aci: (target="ldap:///dc=example,dc=com") (targetattr =
- "*")(version 3.0;acl "Admins can run amok"; allow(all) groupdn =
+ "* || +")(version 3.0;acl "Admins can run amok"; allow(
+ all, proxy, import, export) groupdn =
  "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)
  </programlisting>
+   <para>Notice both <literal>targetattr = "* || +"</literal>, which permits
+   access to both all user attributes and all operational attributes, and
+   <literal>allow(all, proxy, import, export)</literal>, which permits not
+   only all user operations, but also proxy authorization as well as data
+   import and export operations.</para>
   </example>
 
   <example>

--
Gitblit v1.10.0