# Access to users personal addressbooks

# allow read of addressbook by owner and egwadmin account
access to dn.regex="^cn=([^,]+),ou=personal,ou=contacts,o=([^,]+),dc=domain,dc=com$"
	attrs=entry
	by dn.regex="uid=$1,ou=accounts,o=$2,dc=domain,dc=com" read
	by dn.regex="cn=egwadmin,o=$2,dc=domain,dc=com" write
	by users none

# allow user to create entries in own addressbook; no-one else can access it
# needs write access to the entries ENTRY attribute ...
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,o=([^,]+),dc=domain,dc=com$"
	attrs=children
	by dn.regex="uid=$1,ou=accounts,o=$2,dc=domain,dc=com" write
	by users none

# ... and the entries CHILDREN
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,o=([^,]+),dc=domain,dc=com$"
	attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha,@evolutionPerson
	by dn.regex="uid=$1,ou=accounts,o=$2,dc=domain,dc=com" write
	by users none

# Access to groups addressbooks

# allow read of addressbook by members and egwadmin account
access to dn.regex="^cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=domain,dc=com$"
	attrs=entry
	by group.expand="cn=$1,ou=groups,o=$2,dc=domain,dc=com" read
	by dn.regex="cn=egwadmin,o=$2,dc=domain,dc=com" write
	by users none

# allow members to create entries in there group addressbooks; no-one else can access it
# needs write access to the entries ENTRY attribute ...
access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=domain,dc=com$"
	attrs=children
	by group.expand="cn=$1,ou=groups,o=$2,dc=domain,dc=com" write
	by users none

# ... and the entries CHILDREN
access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=domain,dc=com$"
	attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha,@evolutionPerson
	by group.expand="cn=$1,ou=groups,o=$2,dc=domain,dc=com" write
	by users none