Modification policy, in the context of DIB access control, is concerned with controlling the actions of modify operations. This section describes how modification controls apply to each modify operation.
For the ADD-ENTRY operation, modification policy can control whether or not a particular area of the DIT is allowed to receive new leaf entries. The general application of access control policy to an area of the DIT is discussed in a later section on ``Encoding Policy in an ACL.'' If area permissions allow the new entry to be added, then the Directory makes additional modification policy checks for each attribute type and each attribute value that is to be contained by the new entry. If modification policy denies the addition of any of the proposed attributes or values, then the entire operation fails.
For REMOVE-ENTRY, modification policy can control whether or not an entire entry (including all of its contents) is allowed to be removed. Component attributes and values cannot be controlled independently with respect to the REMOVE-ENTRY operation (they may, however be independently controlled for the MODIFY-ENTRY operation as explained below). For each REMOVE-ENTRY operation, the Directory makes a single check of modification policy to see if the entire entry is allowed to be removed; there are no separate checks for each attribute and value inside the entry (as was the case for ADD-ENTRY).
In the case of MODIFY-ENTRY, the Directory first checks modification policy to see if the MODIFY-ENTRY operation may be used on the target entry. If so, for each attribute removal, the Directory makes one check of modification policy to see if the entire attribute (with all its values) can be removed. For each attribute value removal, the Directory makes one check of modification policy to see if that value can be removed (note that modification policy applicable to the attribute as a whole is not checked when the request is for removal of a particular value). For each attribute that is added, a check is made of modification policy to see if the attribute as a whole may be added; if so, a check of modification policy is made for each value to be added. Similarly, for each attribute value added to an existing attribute, a check of modification policy is made to ensure the new value may be added. Controls on an attribute as a whole are independent of controls on particular values of an attribute.
For MODIFY-DISTINGUISHED-NAME, the Directory first determines if the operation causes the target entry to ``move'' to a new immediate superior (parent) entry in the DIT. If the modification would result in the target entry having the same parent, then the Directory makes a single check of modification policy to determine if the renaming is allowed. If the modification would result in the target entry having a new parent, then the Directory makes two checks of modification policy: the first check determines if the entry (considered with the name it had prior to the operation) is allowed to be moved to a new parent; the second check determines if the DIT area that would be occupied by the moved entry (and all its subordinates) is allowed to receive moved entries. Control on renaming an entry without moving it to a new parent is independent of controls on whether or not an entry may be moved to a new parent.