Showing results for 
Search instead for 
Did you mean: 

ACI Evaluation Order

UnboundID PhilipP

Access Control Instructions (ACIs) are used, as their name implies, to control access to attributes, entries and even whole sub-trees within the DIRECTORY informaton Tree (DIT).


They are stored as attributes on an entry. The evaluation order of these is actually straigtforward, once you know how it works.


A somewhat simplified (but sufficient for most purposes) description is as follows:


  • Traverse the tree (DIT) from the root to the entry being accessed. Collect every ACI enountered on that path.
  • Sort the collected ACIs into two "buckets", DENY and ALLOW.
  • Sort each of the buckets so that simpler/easier/faster to evaluate ACIs are processed first.
  • Begin processing the ACIs in the DENY bucket. If a matching ACI is found, processing stops and the request is DENIED.
  • If the end of the DENY bucket is reached, begin processing the ALLOW bucket.
  • If a matching ALLOW ACI is found, processing stops, access is ALLOWED.
  • If the end of the ALLOW bucket is reached, there is an implicit DENY. Access is DENIED.


From this description it should be clear that:


  • Placement of an ACI only affects its scope.
  • Order of evaluation is indeterminate. Placing an ACI closer to an entry will not override those "higher" in the DIT.
  • Placing an ACI closer to the data it protects ensures that it is only evaluated when accessing that data (performance impact).
  • The directory has no access by default, DENY ACIs should be rare.