The policy orientations described above can be combined to form new, more powerful orientations that may be used when the applicability of a particular policy fragment is defined in terms of more than one of the basic orientations. For example, suppose a particular control on the READ operation applies to entries in a specific subtree except for entries in one of the branches of that subtree; further, suppose the policy only applies to a particular object class (say, object class E) within subtree levels 2 and 3. The area labeled subtree with exclusion in figure 12.9 is an example of the part of this hybrid orientation involving a subtree with an excluded branch.
Building on figure 12.9, an illustration of the complete scope of influence for the hypothetical policy is shown in figure 12.11 where entries with labels that begin with e (e.g., e1, e2) are the only entries of object class E. Entries labeled e3, e4, and e6 are the only entries in the hybrid scope of influence for ACLs enforcing the example policy. Because the ACLs are expressed as hybrid subtree controls, they will automatically apply to any new entry of object class E that is added (via Add-ENTRY) to levels 2 or 3 of the area labeled subtree with exclusion. They will also automatically apply to any entry of object class E that is moved into the hybrid scope via the MODIFY-DISTINGUISHED-NAME operation.
Carrying the example one step further, suppose the policy applying to the hybrid scope is a modification policy controlling permissions for the ADD-ENTRY operation. Suppose the associated ACL grants entry-level permission for ADD-ENTRY to reflect a policy that the subtree with root labeled a1 may only grow by adding new entries of object class E in subtree levels 2 and 3. The ACL also grants all the needed permissions to allow addition of all applicable attribute types and values. Under this policy, an attempt to add a sibling (with object class E) of e4 would succeed as would an attempt to add an entry of object class E as a child of b2. An attempt to add an entry of class E as a child of e4 would fail but adding the same entry as a child of e6 would succeed.
Figure 12.11: Example of hybrid scope of influence.