Jaap Winius jwinius@umrk.nl writes:
Quoting Dieter Kluenter dieter@dkluenter.de:
[...]
This works for a user with attr title=telephonemanager. However, to demonstrate the flexibility of this set rule...
access to attrs=telephoneNumber by set="user/description & [telephonemanager]" write by users read
... this works for a user with attr description=telephonemanager!
This is cool regardless, but I think my NIU-friend would say that it's cool because this set rule allows you to give users telephonemanager privileges without the need to maintain a telephonemanager group.
Actually, I think this solution can be improved upon significantly. For example, what if our privileged user had this attribute:
description: titlemanager telephonemanager addressmanager
This is a single value, you actually want a multi valued attribute type.
Can a a set rule be devised to match not only users with a description value that equals "telephonemanager", but also one that includes it in a longer string? We would need something like:
access to attrs=telephoneNumber by set="user/description & [*telephonemanager*]" write by users read
Only, that doesn't work.
Is this possible?
Did you define an index for description? But still I don't think this could work, although I have never tested this.
-Dieter