+privileges to authenticated clients.
+.SH OPERATION REQUIREMENTS
+Operations require different privileges on different portions of entries.
+The following summary applies to primary database backends such as
+the LDBM, BDB, and HDB backends. Requirements for other backends may
+(and often do) differ.
+.LP
+The
+.B add
+operation requires
+.B write (=w)
+privileges on the pseudo-attribute
+.B entry
+of the entry being added, and
+.B write (=w)
+privileges on the pseudo-attribute
+.B children
+of the entry's parent.
+.LP
+The
+.B bind
+operation, when credentials are stored in the directory, requires
+.B auth (=x)
+privileges on the attribute the credentials are stored in (usually
+.BR userPassword ).
+.LP
+The
+.B compare
+operation requires
+.B compare (=c)
+privileges on the attribute that is being compared.
+.LP
+The
+.B delete
+operation requires
+.B write (=w)
+privileges on the pseudo-attribute
+.B entry
+of the entry being deleted, and
+.B write (=w)
+privileges on the
+.B children
+pseudo-attribute of the entry's parent.
+.LP
+The
+.B modify
+operation requires
+.B write (=w)
+privileges on the attibutes being modified.
+.LP
+The
+.B modrdn
+operation requires
+.B write (=w)
+privileges on the pseudo-attribute
+.B entry
+of the entry whose relative DN is being modified,
+.B write (=w)
+privileges on the pseudo-attribute
+.B children
+of the old and new entry's parents, and
+.B write (=w)
+privileges on the attributes that are present in the new relative DN.
+.B Write (=w)
+privileges are also required on the attributes that are present
+in the old relative DN if
+.B deleteoldrdn
+is set to 1.
+.LP
+The
+.B search
+operation, for each entry, requires
+.B search (=s)
+privileges on the attributes that are defined in the filter.
+Then, the resulting entries are tested for
+.B read (=r)
+privileges on the pseudo-attribute
+.B entry
+(for read access to the entry itself)
+and for
+.B read (=r)
+access on each value of each attribute that is requested.
+Also, for each
+.B referral
+object used in generating continuation references, the operation requires
+.B read (=r)
+access on the pseudo-attribute
+.B entry
+(for read access to the referral object itself),
+as well as
+.B read (=r)
+access to the attribute holding the referral information
+(generally the
+.B ref
+attribute).
+.LP
+Some
+.B controls
+require specific access privileges.
+The
+.B proxyAuthz
+control requires
+.B auth (=x)
+privileges on all the attributes that are present in the search filter
+of the URI regexp maps (the right-hand side of the
+.B sasl-regexp
+directives).
+It also requires
+.B auth (=x)
+privileges on the
+.B saslAuthzTo
+attribute of the authorizing identity and/or on the
+.B saslAuthzFrom
+attribute of the authorized identity.
+.SH CAVEATS
+It is strongly recommended to explicitly use the most appropriate
+.BR <dnstyle> ,
+to avoid possible incorrect specifications of the access rules as well
+as for performance (avoid unrequired regex matching when an exact
+match suffices) reasons.
+.LP
+An administrator might create a rule of the form:
+.LP
+.nf
+ access to dn.regex="dc=example,dc=com"
+ by ...
+.fi
+.LP
+expecting it to match all entries in the subtree "dc=example,dc=com".
+However, this rule actually matches any DN which contains anywhere
+the substring "dc=example,dc=com". That is, the rule matches both
+"uid=joe,dc=example,dc=com" and "dc=example,dc=com,uid=joe".
+.LP
+To match the desired subtree, the rule would be more precisely
+written:
+.LP
+.nf
+ access to dn.regex="^(.+,)?dc=example,dc=com$$"
+ by ...
+.fi
+.LP
+For performance reasons, it would be better to use the subtree style.
+.LP
+.nf
+ access to dn.subtree="dc=example,dc=com"
+ by ...
+.fi
+.LP
+When writing submatch rules, it may be convenient to avoid unnecessary
+.B regex
+.B <dnstyle>
+use; for instance, to allow access to the subtree of the user
+that matches the
+.B what
+clause, one could use
+.LP
+.nf
+ access to dn.regex="^(.+,)?uid=([^,]+),dc=example,dc=com$$"
+ by dn.regex="^uid=$1,dc=example,dc=com$$" write
+ by ...
+.fi
+.LP
+However, since all that is required in the
+.B to
+clause is substring expansion, a more efficient solution is
+.LP
+.nf
+ access to dn.regex="^(.+,)?uid=([^,]+),dc=example,dc=com$$"
+ by dn.exact,expand="uid=$1,dc=example,dc=com" write
+ by ...
+.fi
+.LP
+In fact, while a
+.B <dnstyle>
+of
+.B regex
+implies substring expansion,
+.BR exact ,
+as well as all the other DN specific
+.B <dnstyle>
+values, does not, so it must be explicitly requested.
+.LP