From eb4b6f52083bbfdf7b7b80a7a31efa9143560fb2 Mon Sep 17 00:00:00 2001
From: Chris Ridd <chris.ridd@forgerock.com>
Date: Wed, 31 Jul 2013 10:17:57 +0000
Subject: [PATCH] CR-2088 Fix OPENDJ-1104 targetattrfilters should be targattrfilters

---
 opends/src/main/docbkx/admin-guide/chap-privileges-acis.xml |   23 ++++++++++++-----------
 1 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/opends/src/main/docbkx/admin-guide/chap-privileges-acis.xml b/opends/src/main/docbkx/admin-guide/chap-privileges-acis.xml
index 168b7c5..92c2f5d 100644
--- a/opends/src/main/docbkx/admin-guide/chap-privileges-acis.xml
+++ b/opends/src/main/docbkx/admin-guide/chap-privileges-acis.xml
@@ -192,10 +192,13 @@
       multiple attribute type names with ||.</para>
       <para>This specification affects the entry where the ACI is located, or
       the entries specified by other targets in the ACI.</para>
-      <para>You can use an asterisk, *, to specify all non-operational
-      attributes, although you will see better performance when explicitly
-      including or excluding attribute types needed. You can use a plus, +, to
-      specify all operational attributes.</para>
+      <para>You can use an asterisk, *, to specify all user attributes, although
+      you will see better performance when explicitly including or excluding
+      attribute types needed. You can use a plus, +, to specify all operational
+      attributes.</para>
+      <para>Note that a negated <replaceable>attr-list</replaceable> of
+      operational attributes will only match other operational attributes and
+      never any user attributes, and vice-versa.</para>
       <para>If you do not include this target specification, then by default
       no attributes are affected by the ACI.</para>
      </listitem>
@@ -607,7 +610,7 @@
      <listitem>
       <para>The ACI must allow the <literal>add</literal> permission to entries
       in the target. This implicitly allows the attributes and values to be set.
-      Use <literal>targetattrfilters</literal> to explicitly deny access to any
+      Use <literal>targattrfilters</literal> to explicitly deny access to any
       values if required.</para>
       <para>For example, the ACI required to allow
       <literal>uid=bjensen,ou=People,dc=example,dc=com</literal> to add an entry
@@ -648,7 +651,7 @@
      <listitem>
       <para>The ACI must allow the <literal>delete</literal> permission to the
       target entry. This implicitly allows the attributes and values in the
-      target to be deleted. Use <literal>targetattrfilters</literal> to
+      target to be deleted. Use <literal>targattrfilters</literal> to
       explicitly deny access to the values if required.</para>
       <para>For example, the ACI required to allow
       <literal>uid=bjensen,ou=People,dc=example,dc=com</literal> to delete an
@@ -664,7 +667,7 @@
       <para>The ACI must allow the <literal>write</literal> permission to
       attributes in the target entries. This implicitly allows all
       values in the target attribute to be modified. Use
-      <literal>targetattrfilters</literal> to explicitly deny access to specific
+      <literal>targattrfilters</literal> to explicitly deny access to specific
       values if required.</para>
       <para>For example, the ACI required to allow
       <literal>uid=bjensen,ou=People,dc=example,dc=com</literal> to modify the 
@@ -685,7 +688,7 @@
       <para>The ACI must allow <literal>write</literal> permission to the
       attributes in the old RDN and the new RDN. All values of the old RDN and
       new RDN can be written implicitly; use
-      <literal>targetattrfilters</literal> to explicitly deny access to values
+      <literal>targattrfilters</literal> to explicitly deny access to values
       used if required.</para>
       <para>For example, the ACI required to allow
       <literal>uid=bjensen,ou=People,dc=example,dc=com</literal> to rename
@@ -707,9 +710,7 @@
       used to allow particular attributes to be returned. If
       <literal>read</literal> permission is allowed to any attribute, the
       server will automatically allow the <literal>objectClass</literal>
-      attribute to also be read. All values of readable attributes can be
-      implicitly read; to restrict this use
-      <literal>targetattrfilters</literal>.</para>
+      attribute to also be read.</para>
       <para>For example, the ACI required to allow
       <literal>uid=bjensen,ou=People,dc=example,dc=com</literal> to search for
       <literal>uid</literal> attributes, and also to read that attribute in

--
Gitblit v1.10.0