4.2.4.3 - SubentryACI
Access to subentries also needs to be controlled. Subentries are special in ApacheDS. Although they subordinate to an administrative entry (entry of an Administrative Point), they are technically considered to be in the same context as their administrative entry. ApacheDS considers the perscriptive ACI applied to the administrative entry, to also apply to its subentries.
This however is not the most intuitive mechanism to use for explicitly controlling access to subentries. A more explicit mechanism is used to specify ACIs specifically for protecting subentries. ApacheDS uses the multivalued operational attribute, subentryACI, within administrative entries to control access to immediately subordinate subentries.
Protection policies for ACIs themselves can be managed within the entry of an administrative point.