access to dn.sub="ou=Group,dc=example,dc=com"
by users read break
access to dn.regex="^(cn=[^,]+,ou=Group,dc=example,dc=com)" attrs=member
by group.expand="$1" self+z
by group/UDBgrp/UDBgrpInvited.expand="$1" self+a
by group/UDBgrp/UDBgrpAdmin.expand="$1" +z
by group/UDBgrp/UDBgrpSuspended.expand="$1" self+a
by users read
access to dn.regex="^(cn=[^,]+,ou=Group,dc=example,dc=com)" attrs=UDBgrpInvited
by group/UDBgrp/UDBgrpInvited.expand="$1" self+z
by group/UDBgrp/UDBgrpAdmin.expand="$1" +az
by users read
access to dn.regex="^(cn=[^,]+,ou=Group,dc=example,dc=com)" attrs=UDBgrpSuspended
by group.expand="$1" self+a
by group/UDBgrp/UDBgrpSuspended.expand="$1" self+z
by group/UDBgrp/UDBgrpAdmin.expand="$1" +z
by users read
access to dn.regex="^(cn=[^,]+,ou=Group,dc=example,dc=com)" attrs=UDBgrpAdmin
by group/UDBgrp/UDBgrpAdmin.expand="$1" write
by users read
access to dn.regex="^(cn=[^,]+,ou=Group,dc=example,dc=com)" attrs=description
by group/UDBgrp/UDBgrpAdmin.expand="$1" write
by users read
access to dn.exact="ou=Group,dc=example,dc=com" attrs=children
by users write
# The 'filter' prevents the creation of any non-group objects
access to dn.regex="^(cn=[^,]+,ou=Group,dc=example,dc=com)" attrs=entry filter="(&(objectClass=groupOfNames)(objectClass=UDBgrp))"
by group/UDBgrp/UDBgrpAdmin.expand="$1" write
by users add