Target scope

When you select a category as a target in the Target box, you use the Scope of Target box to specify whether a subject's access settings apply only to documents at that category or also to documents under subcategories as well.

About this task

Keep This container and all descendants (the default) selected to apply the subject's access settings to documents under the selected target category as well as to documents under subcategories. Select This container only to apply the subject's access settings to documents under the selected target category only.

You select a scope for each subject with access at a target category.

Example of using This container and all descendants as a target scope

About this task

Suppose you want users who access the database through the -Default- entry to see any Person and Group document in the directory but no other type of document. You could do the following:

  • Give the -Default- subject Reader access in the database ACL.
  • In the extended ACL, add the -Default- as the subject at / (root) and deny it all access by default, but allow it Browse and Read access to the Person and Group forms.
  • Keep This container and all descendants as the scope to apply the access settings to the entire directory.

Example of using This container only as a target scope

About this task

Suppose the names of documents in your company fall under the organization O=Acme or one of the organizational units OU=East or OU=West. You want to deny the group Admins/Acme all access to documents in the directory except documents at O=Acme. You want to allow the group all access to documents at O=Acme. You could give the group Admins/Acme Editor access in the database ACL with all database ACL privileges and administration roles. At / (root) deny Admins/Acme all access and select This container and all descendants. At O=Acme allow Admins/Acme all access and select This container only as the scope. Admins/Acme deny access set at / (root) continues to apply to OU=East and OU=West.