Simple Result Criteria

Simple Result Criteria define sets of criteria for grouping and describing operation results based on a number of properties. It can take into account properties from the client connection, the operation request, the result code, response controls. Additional criteria is available for specific types of operations.

Parent Component Relations from This Component Properties dsconfig Usage

Parent Component

The Simple Result Criteria component inherits from the Result Criteria

Relations from This Component

The following components have a direct aggregation relation from Simple Result Criteria:

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
 description  request-criteria
 result-code-criteria
 result-code-value
 processing-time-criteria
 processing-time-value
 queue-time-criteria
 queue-time-value
 referral-returned
 all-included-response-control
 any-included-response-control
 not-all-included-response-control
 none-included-response-control
 used-alternate-authzid
 used-any-privilege
 used-privilege
 missing-any-privilege
 missing-privilege
 retired-password-used-for-bind
 search-entry-returned-criteria
 search-entry-returned-count
 search-reference-returned-criteria
 search-reference-returned-count
 search-indexed-criteria
 included-authz-user-base-dn
 excluded-authz-user-base-dn
 all-included-authz-user-group-dn
 any-included-authz-user-group-dn
 not-all-included-authz-user-group-dn
 none-included-authz-user-group-dn

Basic Properties

description

Description
A description for this Result Criteria
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

result-code-criteria

Description
Specifies which operation result codes are allowed for operations included in this Simple Result Criteria.
Default Value
all-result-codes
Allowed Values
all-result-codes - The result code will not be considered when determining whether an operation matches this Simple Result Criteria.

non-failure-result-codes - Only operations with non-failure result codes (i.e., those result codes which indicate that the operation was processed to completion without encountering any errors, or which indicate that there may be additional processing to perform through subsequent requests) may be included in this Simple Result Criteria. The set of non-failure result codes includes "success", "compare-false", "compare-true", "referral", "sasl-bind-in-progress", and "no-operation".

failure-result-codes - Only operations with result codes not included in the set of non-failure result codes may be included in this Simple Result Criteria. The set of failure result codes includes all result codes except the following: "success", "compare-false", "compare-true", "referral", "sasl-bind-in-progress", and "no-operation".

selected-result-codes - Only operations with result codes included in the set of result codes contained in the result-code property may be included in this Simple Result Criteria.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

result-code-value

Description
Specifies the operation result code values for results included in this Simple Result Criteria. This will only be taken into account if the "result-code-criteria" property has a value of "selected-result-codes". If no result code values are specified, then the operation result code will not be considered when determining whether an operation matches this Simple Result Criteria.
Default Value
None
Allowed Values
success - Operation processing completed successfully.

operations-error - An error occurred related to the ordering of operations.

protocol-error - An error occurred while parsing the request from the client.

time-limit-exceeded - Search processing took longer than the maximum allowed time to complete.

size-limit-exceeded - The associated search request matched more entries than are allowed to be returned to the client.

compare-false - The assertion contained in the associated compare request did not match the target entry.

compare-true - The assertion contained in the associated compare request matched target entry.

auth-method-not-supported - The requested authentication type is not supported.

strong-auth-required - Strong authentication is required for the requested operation.

referral - A referral was encountered while processing the operation.

admin-limit-exceeded - An administrative limit was exceeded while processing the operation.

unavailable-critical-extension - A critical control included in the request could not be processed.

confidentiality-required - The requested operation requires confidentiality for communication between the client and the server.

sasl-bind-in-progress - A multi-stage SASL bind operation is in progress.

no-such-attribute - A specified attribute did not exist in the target entry.

undefined-attribute-type - A specified attribute type does is not defined in the server schema.

inappropriate-matching - The operation attempted to perform a type of comparison against a specified attribute that is not allowed for that attribute type.

constraint-violation - The operation would have violated a constraint defined in the server.

attribute-or-value-exists - The operation would have resulted in a conflict with an existing attribute or attribute value in the target entry.

invalid-attribute-syntax - An attribute value was provided that is not valid according to the associated attribute syntax.

no-such-object - The operation targeted an entry that does not exist.

alias-problem - An attempt was made to perform an illegal operation against an alias.

invalid-dn-syntax - A provided value could not be parsed as a valid distinguished name.

alias-dereferencing-problem - A problem occurred while attempting to dereference an alias during search processing.

inappropriate-authentication - The attempted authentication type was not appropriate for the target user.

invalid-credentials - The bind credentials provided were not valid.

insufficient-access-rights - The user does not have permission to perform the requested operation.

busy - The server is too busy to process the requested operation.

unavailable - The server is not available to process client requests.

unwilling-to-perform - The server is not willing to process the requested operation.

loop-detect - A referral or chaining loop was encountered while processing the request.

sort-control-missing - The search request contained the virtual list view request control but was missing the required server-side sort request control.

offset-range-error - The search request contained the virtual list view request control with an invalid offset or range.

naming-violation - The operation would have resulted in an entry that violates the server's naming constraints.

objectclass-violation - The operation would have resulted in an entry that violates schema constraints for the object classes contained in the entry.

not-allowed-on-nonleaf - The requested operation is not allowed for non-leaf entries.

not-allowed-on-rdn - The requested operation attempted to alter an RDN attribute value in a manner that is not allowed.

entry-already-exists - The requested operation would have resulted in an entry that conflicts with an entry that already exists in the server.

objectclass-mods-prohibited - The requested operation would have modified the object classes contained in the target entry in a manner that is not allowed.

affects-multiple-dsas - The requested operation would have required updating entries that exist in multiple servers.

virtual-list-view-error - An error occurred while performing virtual list view processing.

other - An error occurred which does not fit any other defined result code.

canceled - The operation was canceled.

no-such-operation - The target operation could not be canceled because it did not exist or had already completed.

too-late - The target operation could not be canceled because the server had already completed too much processing on the operation to allow it to be canceled.

cannot-cancel - The target operation could not be canceled because operations of that type cannot be canceled.

assertion-failed - The target entry did not match the filter contained in the assertion request control.

authorization-denied - The client does not have permission to use the proxied authorization control.

no-operation - No problems were encountered while processing the operation, but no changes were applied because the request included the no-op control.

interactive-transaction-aborted - The interactive transaction has been aborted.

database-lock-conflict - A database lock conflict has been detected.

mirrored-subtree-digest-mismatch - A mirrored subtree digest mismatch has been detected.

token-delivery-mechanism-unavailable - A token could not be delivered because none of the identified delivery mechanisms were available for the target user.

token-delivery-attempt-failed - A token could not be delivered because the attempt to invoke the delivery mechanism failed.

token-delivery-invalid-recipient-id - A token could not be delivered because the client provided an invalid recipient ID.

token-delivery-invalid-account-state - A token could not be delivered because the target user had an account state that did not permit the token to be used.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

processing-time-criteria

Description
Indicates whether the time required to process the operation should be taken into consideration when determining whether to include the operation in this Simple Result Criteria. If the processing time should be taken into account, then the "processing-time-value" property should contain the boundary value.
Default Value
any
Allowed Values
any - The time required to process the operation should not be taken into account when determining whether to include the operation in this Simple Result Criteria.

less-than-or-equal-to - Only operations with a processing time that is less than or equal to the value contained in the "processing-time-value" property may be included in this Simple Result Criteria.

greater-than-or-equal-to - Only operations with a processing time that is greater than or equal to the value contained in the "processing-time-value" property may be included in this Simple Result Criteria.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

processing-time-value

Description
Specifies the boundary value to use for the operation processing time when determining whether to include that operation in this Simple Result Criteria. This will be ignored if the "processing-time-criteria" property has a value of "any".
Default Value
0 ms
Allowed Values
A duration. Lower limit is 0 milliseconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

queue-time-criteria

Description
Indicates whether the time the operation was required to wait on the work queue should be taken into consideration when determining whether to include the operation in this Simple Result Criteria. If the queue time should be taken into account, then the "queue-time-value" property should contain the boundary value. This property should only be given a value other than "any" if the work queue has been configured to monitor the time operations have spent on the work queue.
Default Value
any
Allowed Values
any - The time the operation spent waiting on the work queue should not be taken into account when determining whether to include the operation in this Simple Result Criteria.

less-than-or-equal-to - Only operations that had to wait for a length of time that is less than or equal to the value contained in the "queue-time-value" property may be included in this Simple Result Criteria.

greater-than-or-equal-to - Only operations that had to wait for a length of time that is greater than or equal to the value contained in the "queue-time-value" property may be included in this Simple Result Criteria.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

queue-time-value

Description
Specifies the boundary value to use for the time an operation spent on the work queue when determining whether to include that operation in this Simple Result Criteria. This will be ignored if the "queue-time-criteria" property has a value of "any".
Default Value
0 ms
Allowed Values
A duration. Lower limit is 0 milliseconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

referral-returned

Description
Indicates whether operation results which include one or more referral URLs should be included in this Simple Result Criteria. If no value is provided, then whether an operation includes any referral URLs will not be considered when determining whether it matches this Simple Result Criteria. Note that this refers only to the inclusion of the referral element in the LDAP result element of the response and does not include search result references that may have been returned during the course of processing a search operation. The search-reference-returned property may be used to make determinations based on whether any search result references were returned to the client.
Default Value
optional
Allowed Values
required - Only operation results which include one or more referral URLs may be included in this Simple Result Criteria.

prohibited - Only operation results which did not include any referral URLs may be included in this Simple Result Criteria.

optional - This Simple Result Criteria may include operation results which did or did not contain any referral URLs.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

all-included-response-control

Description
Specifies the OID of a control that must be present in the response to the client for operations included in this Simple Result Criteria. If any control OIDs are provided, then the response must contain all of those controls. If one or more all-included response control OIDs are provided, then this Simple Result Criteria will only match operations in which the response includes all of those controls. If one or more any-included response control OIDs are provided, then this Simple Result Criteria will only match operations in which the response contains at least one of those controls. If one or more not-all-included response control OIDs are provided, then this Simple Result Criteria will only match operations in which the response does not contain at least one of those controls. If one or more none-included response control OIDs are provided, then this Simple Result Criteria will only match operations in which the response does not contain any of those controls. If no all-included, any-included, not-all-included, or none-included response control OIDs are provided, then the controls included in the response will not be taken into account when determining whether an operation matches this Simple Result Criteria.
Default Value
None
Allowed Values
A string
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

any-included-response-control

Description
Specifies the OID of a control that may be present in the response to the client for operations included in this Simple Result Criteria. If any control OIDs are provided, then the response must contain at least one of those controls. If one or more all-included response control OIDs are provided, then this Simple Result Criteria will only match operations in which the response includes all of those controls. If one or more any-included response control OIDs are provided, then this Simple Result Criteria will only match operations in which the response contains at least one of those controls. If one or more not-all-included response control OIDs are provided, then this Simple Result Criteria will only match operations in which the response does not contain at least one of those controls. If one or more none-included response control OIDs are provided, then this Simple Result Criteria will only match operations in which the response does not contain any of those controls. If no all-included, any-included, not-all-included, or none-included response control OIDs are provided, then the controls included in the response will not be taken into account when determining whether an operation matches this Simple Result Criteria.
Default Value
None
Allowed Values
A string
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

not-all-included-response-control

Description
Specifies the OID of a control that should not be present in the response to the client for operations included in this Simple Result Criteria. If any control OIDs are provided, then the response must not contain at least one of those controls (that is, the response may contain zero or more of those controls, but not all of them). If one or more all-included response control OIDs are provided, then this Simple Result Criteria will only match operations in which the response includes all of those controls. If one or more any-included response control OIDs are provided, then this Simple Result Criteria will only match operations in which the response contains at least one of those controls. If one or more not-all-included response control OIDs are provided, then this Simple Result Criteria will only match operations in which the response does not contain at least one of those controls. If one or more none-included response control OIDs are provided, then this Simple Result Criteria will only match operations in which the response does not contain any of those controls. If no all-included, any-included, not-all-included, or none-included response control OIDs are provided, then the controls included in the response will not be taken into account when determining whether an operation matches this Simple Result Criteria.
Default Value
None
Allowed Values
A string
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

none-included-response-control

Description
Specifies the OID of a control that must not be present in the response to the client for operations included in this Simple Result Criteria. If any control OIDs are provided, then the response must not contain any of those controls. If one or more all-included response control OIDs are provided, then this Simple Result Criteria will only match operations in which the response includes all of those controls. If one or more any-included response control OIDs are provided, then this Simple Result Criteria will only match operations in which the response contains at least one of those controls. If one or more not-all-included response control OIDs are provided, then this Simple Result Criteria will only match operations in which the response does not contain at least one of those controls. If one or more none-included response control OIDs are provided, then this Simple Result Criteria will only match operations in which the response does not contain any of those controls. If no all-included, any-included, not-all-included, or none-included response control OIDs are provided, then the controls included in the response will not be taken into account when determining whether an operation matches this Simple Result Criteria.
Default Value
None
Allowed Values
A string
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

used-alternate-authzid

Description
Indicates whether operation results in which the associated operation used an authorization identity that is different from the authentication identity (e.g., as the result of using a proxied authorization control) should be included in this Simple Result Criteria. If no value is provided, then whether an operation used an alternate authorization identity will not be considered when determining whether it matches this Simple Result Criteria.
Default Value
optional
Allowed Values
required - Only operations which used an alternate authorization identity may be included in this Simple Result Criteria.

prohibited - Only operations which did not use an alternate authorization identity may be included in this Simple Result Criteria.

optional - This Simple Result Criteria may include operations which did or did not use an alternate authorization identity.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

used-any-privilege

Description
Indicates whether operations in which one or more privileges were used should be included in this Simple Result Criteria. If no value is provided, then whether an operation used any privileges will not be considered when determining whether it matches this Simple Result Criteria.
Default Value
optional
Allowed Values
required - Only operations in which one or more privileges were used may be included in this Simple Result Criteria.

prohibited - Only operations in which no privileges were used may be included in this Simple Result Criteria.

optional - This Simple Result Criteria may include operations which did or did not use any privileges.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

used-privilege

Description
Specifies the name of a privilege that must have been used during the processing for operations included in this Simple Result Criteria. If any privilege names are provided, then the associated operation must have used at least one of those privileges. If no privilege names were provided, then the set of privileges used will not be considered when determining whether an operation should be included in this Simple Result Criteria.
Default Value
None
Allowed Values
audit-data-security - Allows the associated user to execute data security auditing tasks.

bypass-acl - Allows the associated user to bypass all access control checks performed by the server for any type of operation.

bypass-read-acl - Allows the associated user to bypass access control checks performed by the server for bind, compare, and search operations. Access control evaluation may still be enforced for other types of operations.

modify-acl - Allows the associated user to modify the server's access control configuration.

config-read - Allows the associated user to read the server configuration.

config-write - Allows the associated user to update the server configuration. The config-read privilege is also required.

jmx-read - Allows the associated user to perform JMX read operations.

jmx-write - Allows the associated user to perform JMX write operations.

jmx-notify - Allows the associated user to subscribe to receive JMX notifications.

ldif-import - Allows the user to request that the server process LDIF import tasks.

ldif-export - Allows the user to request that the server process LDIF export tasks.

backend-backup - Allows the user to request that the server process backup tasks.

backend-restore - Allows the user to request that the server process restore tasks.

server-shutdown - Allows the user to request that the server shut down.

server-restart - Allows the user to request that the server perform an in-core restart.

proxied-auth - Allows the user to use the proxied authorization control, or to perform a bind that specifies an alternate authorization identity.

disconnect-client - Allows the user to terminate other client connections.

password-reset - Allows the user to reset user passwords.

update-schema - Allows the user to make changes to the server schema.

privilege-change - Allows the user to make changes to the set of defined root privileges, as well as to grant and revoke privileges for users.

unindexed-search - Allows the user to request that the server process a search that cannot be optimized using server indexes.

unindexed-search-with-control - Allows the user to request that the server process a search that cannot be optimized using server indexes but includes the permit unindexed search request control.

bypass-pw-policy - Allows the associated user to bypass password policy processing performed by the server.

lockdown-mode - Allows the associated user to request that the server enter or leave lockdown mode, or to perform operations while the server is in lockdown mode.

stream-values - Allows the associated user to perform a stream values extended operation to obtain all entry DNs and/or all values for one or more attributes for a specified portion of the DIT.

third-party-task - Allows the associated user to invoke tasks created by third-party developers.

use-admin-session - Allows the associated user to use an administrative session to request that operations be processed using a dedicated pool of worker threads.

soft-delete-read - Allows the associated user access to soft-deleted entries.

metrics-read - Allows the associated user access to data in the metrics backend.

manage-topology - Allows the associated user to manage the set of server instances that are part of a topology.

permit-get-password-policy-state-issues - Allows the associated user to issue a bind request that includes the get password policy state issues request control. The bind request must also include the retain identity request control.

permit-proxied-mschapv2-details - Allows the associated user to issue a bind request that includes the proxied MS-CHAPv2 details request control. The bind request must also include the retain identity request control.

permit-externally-processed-authentication - Allows the associated user to issue a SASL bind request using the UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION mechanism.

permit-export-reversible-passwords - Allows the associated user to invoke an extended operation that can cause the server to export passwords stored with a reversible scheme.

permit-forwarding-client-connection-policy - Allows the associated user to request that an operation be processed using a specified client connection policy.

exec-task - Allows the associated user to schedule an exec task.

collect-support-data - Allows the requester to invoke the collect-support-data tool via an administrative task or an extended operation.

file-servlet-access - Allows the requester to access the content exposed by file servlet instances that require this privilege.

permit-replace-certificate-request - Allows the requester to issue requests to manage server listener or inter-server certificates.

permit-verify-password-request - Allows the requester to issue requests to verify user passwords without performing any other password policy processing.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

missing-any-privilege

Description
Indicates whether operations in which one or more privileges were missing should be included in this Simple Result Criteria. If no value is provided, then whether there were any missing privileges will not be considered when determining whether an operation matches this Simple Result Criteria.
Default Value
optional
Allowed Values
required - Only operations in which one or more privileges were missing may be included in this Simple Result Criteria.

prohibited - Only operations in which no privileges missing used may be included in this Simple Result Criteria.

optional - This Simple Result Criteria may include operations which did or did not have any missing privileges.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

missing-privilege

Description
Specifies the name of a privilege that must have been missing during the processing for operations included in this Simple Result Criteria. If any privilege names are provided, then the associated operation must have been missing at least one of those privileges. If no privilege names were provided, then the set of privileges missing will not be considered when determining whether an operation should be included in this Simple Result Criteria.
Default Value
None
Allowed Values
audit-data-security - Allows the associated user to execute data security auditing tasks.

bypass-acl - Allows the associated user to bypass all access control checks performed by the server for any type of operation.

bypass-read-acl - Allows the associated user to bypass access control checks performed by the server for bind, compare, and search operations. Access control evaluation may still be enforced for other types of operations.

modify-acl - Allows the associated user to modify the server's access control configuration.

config-read - Allows the associated user to read the server configuration.

config-write - Allows the associated user to update the server configuration. The config-read privilege is also required.

jmx-read - Allows the associated user to perform JMX read operations.

jmx-write - Allows the associated user to perform JMX write operations.

jmx-notify - Allows the associated user to subscribe to receive JMX notifications.

ldif-import - Allows the user to request that the server process LDIF import tasks.

ldif-export - Allows the user to request that the server process LDIF export tasks.

backend-backup - Allows the user to request that the server process backup tasks.

backend-restore - Allows the user to request that the server process restore tasks.

server-shutdown - Allows the user to request that the server shut down.

server-restart - Allows the user to request that the server perform an in-core restart.

proxied-auth - Allows the user to use the proxied authorization control, or to perform a bind that specifies an alternate authorization identity.

disconnect-client - Allows the user to terminate other client connections.

password-reset - Allows the user to reset user passwords.

update-schema - Allows the user to make changes to the server schema.

privilege-change - Allows the user to make changes to the set of defined root privileges, as well as to grant and revoke privileges for users.

unindexed-search - Allows the user to request that the server process a search that cannot be optimized using server indexes.

unindexed-search-with-control - Allows the user to request that the server process a search that cannot be optimized using server indexes but includes the permit unindexed search request control.

bypass-pw-policy - Allows the associated user to bypass password policy processing performed by the server.

lockdown-mode - Allows the associated user to request that the server enter or leave lockdown mode, or to perform operations while the server is in lockdown mode.

stream-values - Allows the associated user to perform a stream values extended operation to obtain all entry DNs and/or all values for one or more attributes for a specified portion of the DIT.

third-party-task - Allows the associated user to invoke tasks created by third-party developers.

use-admin-session - Allows the associated user to use an administrative session to request that operations be processed using a dedicated pool of worker threads.

soft-delete-read - Allows the associated user access to soft-deleted entries.

metrics-read - Allows the associated user access to data in the metrics backend.

manage-topology - Allows the associated user to manage the set of server instances that are part of a topology.

permit-get-password-policy-state-issues - Allows the associated user to issue a bind request that includes the get password policy state issues request control. The bind request must also include the retain identity request control.

permit-proxied-mschapv2-details - Allows the associated user to issue a bind request that includes the proxied MS-CHAPv2 details request control. The bind request must also include the retain identity request control.

permit-externally-processed-authentication - Allows the associated user to issue a SASL bind request using the UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION mechanism.

permit-export-reversible-passwords - Allows the associated user to invoke an extended operation that can cause the server to export passwords stored with a reversible scheme.

permit-forwarding-client-connection-policy - Allows the associated user to request that an operation be processed using a specified client connection policy.

exec-task - Allows the associated user to schedule an exec task.

collect-support-data - Allows the requester to invoke the collect-support-data tool via an administrative task or an extended operation.

file-servlet-access - Allows the requester to access the content exposed by file servlet instances that require this privilege.

permit-replace-certificate-request - Allows the requester to issue requests to manage server listener or inter-server certificates.

permit-verify-password-request - Allows the requester to issue requests to verify user passwords without performing any other password policy processing.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

retired-password-used-for-bind

Description
Indicates whether the use of a retired password for authentication should be considered when determining whether a bind operation should be included in this Simple Result Criteria. This will be ignored for all operations other than bind.
Default Value
any
Allowed Values
any - Whether a retired password was used for authentication will not be considered when determining whether a bind operation should be included in this Simple Result Criteria.

retired-password-used - Only bind operations that used a retired password may be included in this Simple Result Criteria.

retired-password-not-used - Only bind operations that did not use a retired password may be included in this Simple Result Criteria.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

search-entry-returned-criteria

Description
Indicates whether the number of entries returned should be considered when determining whether a search operation should be included in this Simple Result Criteria. This will be ignored for all operations other than search.
Default Value
any
Allowed Values
any - The number of search entries returned will not be considered when determining whether a search operation should be included in this Simple Result Criteria.

equal-to - Only search operations in which the number of entries returned is equal to the value of the "search-entry-count" property may be included in this Simple Result Criteria.

not-equal-to - Only search operations in which the number of entries returned is not equal to the value of the "search-entry-count" property may be included in this Simple Result Criteria.

less-than-or-equal-to - Only search operations in which the number of entries returned is less than or equal to the value of the "search-entry-count" property may be included in this Simple Result Criteria.

greater-than-or-equal-to - Only search operations in which the number of entries returned is greater than or equal to the value of the "search-entry-count" property may be included in this Simple Result Criteria.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

search-entry-returned-count

Description
Specifies the target number of entries returned for use when determining whether a search operation should be included in this Simple Result Criteria. This will be ignored for all operations other than search, and it will be ignored for search operations if the "search-entry-criteria" property has a value of "any".
Default Value
0
Allowed Values
An integer value. Lower limit is 0.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

search-reference-returned-criteria

Description
Indicates whether the number of references returned should be considered when determining whether a search operation should be included in this Simple Result Criteria. This will be ignored for all operations other than search.
Default Value
any
Allowed Values
any - The number of search references returned will not be considered when determining whether a search operation should be included in this Simple Result Criteria.

equal-to - Only search operations in which the number of references returned is equal to the value of the "search-reference-count" property may be included in this Simple Result Criteria.

not-equal-to - Only search operations in which the number of references returned is not equal to the value of the "search-reference-count" property may be included in this Simple Result Criteria.

less-than-or-equal-to - Only search operations in which the number of references returned is less than or equal to the value of the "search-reference-count" property may be included in this Simple Result Criteria.

greater-than-or-equal-to - Only search operations in which the number of references returned is greater than or equal to the value of the "search-reference-count" property may be included in this Simple Result Criteria.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

search-reference-returned-count

Description
Specifies the target number of references returned for use when determining whether a search operation should be included in this Simple Result Criteria. This will be ignored for all operations other than search, and it will be ignored for search operations if the "search-reference-criteria" property has a value of "any".
Default Value
0
Allowed Values
An integer value. Lower limit is 0.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

search-indexed-criteria

Description
Indicates whether a search operation should be matched by this Simple Result Criteria based on whether it is considered indexed by the server. This will be ignored for all operations other than search.
Default Value
any
Allowed Values
any - The indexed or unindexed status of the search operation will not be considered when determining whether a search operation should be included in this Simple Result Criteria.

indexed - Only search operations that are considered indexed by the server should be included in this Simple Result Criteria.

unindexed - Only search operations that are considered unindexed by the server should be included in this Simple Result Criteria.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

included-authz-user-base-dn

Description
Specifies a base DN below which authorization user entries may exist for operations included in this Simple Result Criteria. The authorization user could be the currently authenticated user on the connection (the user that performed the Bind operation), or different if proxied authorization was used to request that the operation be performed under the authorization of another user (as is the case for operations that come through a Directory Proxy Server). This property will be ignored for operations where no authentication or authorization has been performed. If at least one included authorization base DN is provided, then this Simple Result Criteria will only match operations in which the entry for the authorization user exists at or below one of the included authorization user base DNs. If at least one excluded authorization user base DN is provided, then this Simple Result Criteria will not match any operations in which the entry for the authorization user exists at or below one of the excluded authorization user base DNs. If no included authorization user base DNs and no excluded user authorization base DNs are provided, then the location of the authorization user entry will not be considered when determining whether an operation matches this Simple Result Criteria.
Default Value
None
Allowed Values
A valid DN.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

excluded-authz-user-base-dn

Description
Specifies a base DN below which authorization user entries may exist for operations excluded from this Simple Result Criteria. The authorization user could be the currently authenticated user on the connection (the user that performed the Bind operation), or different if proxied authorization was used to request that the operation be performed under the authorization of another user (as is the case for operations that come through a Directory Proxy Server). This property will be ignored for operations where no authentication or authorization has been performed. If at least one included authorization base DN is provided, then this Simple Result Criteria will only match operations in which the entry for the authorization user exists at or below one of the included authorization user base DNs. If at least one excluded authorization user base DN is provided, then this Simple Result Criteria will not match any operations in which the entry for the authorization user exists at or below one of the excluded authorization user base DNs. If no included authorization user base DNs and no excluded user authorization base DNs are provided, then the location of the authorization user entry will not be considered when determining whether an operation matches this Simple Result Criteria.
Default Value
None
Allowed Values
A valid DN.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

all-included-authz-user-group-dn

Description
Specifies the DN of a group in which authorization users must exist for operations included in this Simple Result Criteria. If any group DNs are provided, then the authorization user must be a member of all of those groups. The authorization user could be the currently authenticated user on the connection (the user that performed the Bind operation), or different if proxied authorization was used to request that the operation be performed under the authorization of another user (as is the case for operations that come through a Directory Proxy Server). This property will be ignored for operations where no authentication or authorization has been performed. If one or more all-included authorization user group DNs are provided, then this Simple Result Criteria will only match operations in which the authorization user is a member of all of the specified groups. If one or more any-included authorization user group DNs are provided, then this Simple Result Criteria will only match operations in which the authorization user is a member of at least one of the specified groups. If one or more not-all-included authorization user group DNs are provided, then this Simple Result Criteria will only match operations in which the authorization user is not a member of at least one of the specified groups. If one or more none-included authorization user group DNs are provided, then this Simple Result Criteria will only match operations in which the authorization user is not a member of any of the specified groups. If no all-included, any-included, not-all-included, or none-included group DNs are provided, then group membership for the authorization user will not be considered when determining whether an operation matches this Simple Result Criteria.
Default Value
None
Allowed Values
A valid DN.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

any-included-authz-user-group-dn

Description
Specifies the DN of a group in which authorization users may exist for operations included in this Simple Result Criteria. If any group DNs are provided, then the authorization user must be a member of at least one of those groups. The authorization user could be the currently authenticated user on the connection (the user that performed the Bind operation), or different if proxied authorization was used to request that the operation be performed under the authorization of another user (as is the case for operations that come through a Directory Proxy Server). This property will be ignored for operations where no authentication or authorization has been performed. If one or more all-included authorization user group DNs are provided, then this Simple Result Criteria will only match operations in which the authorization user is a member of all of the specified groups. If one or more any-included authorization user group DNs are provided, then this Simple Result Criteria will only match operations in which the authorization user is a member of at least one of the specified groups. If one or more not-all-included authorization user group DNs are provided, then this Simple Result Criteria will only match operations in which the authorization user is not a member of at least one of the specified groups. If one or more none-included authorization user group DNs are provided, then this Simple Result Criteria will only match operations in which the authorization user is not a member of any of the specified groups. If no all-included, any-included, not-all-included, or none-included group DNs are provided, then group membership for the authorization user will not be considered when determining whether an operation matches this Simple Result Criteria.
Default Value
None
Allowed Values
A valid DN.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

not-all-included-authz-user-group-dn

Description
Specifies the DN of a group in which authorization users should not exist for operations included in this Simple Result Criteria. If any group DNs are provided, then the authorization user must not be a member of at least one of those groups (that is, the user may be a member of zero or more of those groups, but not of all of them). The authorization user could be the currently authenticated user on the connection (the user that performed the Bind operation), or different if proxied authorization was used to request that the operation be performed under the authorization of another user (as is the case for operations that come through a Directory Proxy Server). This property will be ignored for operations where no authentication or authorization has been performed. If one or more all-included authorization user group DNs are provided, then this Simple Result Criteria will only match operations in which the authorization user is a member of all of the specified groups. If one or more any-included authorization user group DNs are provided, then this Simple Result Criteria will only match operations in which the authorization user is a member of at least one of the specified groups. If one or more not-all-included authorization user group DNs are provided, then this Simple Result Criteria will only match operations in which the authorization user is not a member of at least one of the specified groups. If one or more none-included authorization user group DNs are provided, then this Simple Result Criteria will only match operations in which the authorization user is not a member of any of the specified groups. If no all-included, any-included, not-all-included, or none-included group DNs are provided, then group membership for the authorization user will not be considered when determining whether an operation matches this Simple Result Criteria.
Default Value
None
Allowed Values
A valid DN.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

none-included-authz-user-group-dn

Description
Specifies the DN of a group in which authorization users must not exist for operations included in this Simple Result Criteria. If any group DNs are provided, then the authorization user must not be a member any of those groups. The authorization user could be the currently authenticated user on the connection (the user that performed the Bind operation), or different if proxied authorization was used to request that the operation be performed under the authorization of another user (as is the case for operations that come through a Directory Proxy Server). This property will be ignored for operations where no authentication or authorization has been performed. If one or more all-included authorization user group DNs are provided, then this Simple Result Criteria will only match operations in which the authorization user is a member of all of the specified groups. If one or more any-included authorization user group DNs are provided, then this Simple Result Criteria will only match operations in which the authorization user is a member of at least one of the specified groups. If one or more not-all-included authorization user group DNs are provided, then this Simple Result Criteria will only match operations in which the authorization user is not a member of at least one of the specified groups. If one or more none-included authorization user group DNs are provided, then this Simple Result Criteria will only match operations in which the authorization user is not a member of any of the specified groups. If no all-included, any-included, not-all-included, or none-included group DNs are provided, then group membership for the authorization user will not be considered when determining whether an operation matches this Simple Result Criteria.
Default Value
None
Allowed Values
A valid DN.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action


Advanced Properties

request-criteria (Advanced Property)

Description
Specifies a request criteria object that must match the associated request for operations included in this Simple Result Criteria.
Default Value
None
Allowed Values
The DN of any Request Criteria.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured Result Criteria:

dsconfig list-result-criteria
     [--property {propertyName}] ...

To view the configuration for an existing Result Criteria:

dsconfig get-result-criteria-prop
     --criteria-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Result Criteria:

dsconfig set-result-criteria-prop
     --criteria-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Simple Result Criteria:

dsconfig create-result-criteria
     --criteria-name {name}
     --type simple
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Result Criteria:

dsconfig delete-result-criteria
     --criteria-name {name}