We will now configure the system to allow anyone to modify his/her own password :
{
identificationTag "allowSelfAccessAndModification",
precedence 14,
authenticationLevel none,
itemOrUserFirst userFirst:
{
userClasses { thisEntry },
userPermissions
{
{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse, grantRead } },
{ protectedItems {allAttributeValues {userPassword}}, grantsAndDenials { grantAdd, grantRemove } }
}
}
}
Note that two different user permissions are used to accurately specify self access and self modification of the userPassword attribute within the entry. So with the first userPermission of this ACI a user would be able to read all attributes and values within his/her entry. They also have the ability to modify the entry but this is moot since they cannot add, remove or replace any attributes within their entry. The second user permission completes the picture by granting add and remove permissions to all values of userPassword. This means the user can replace the password.