The proprietary get effective rights request control may be included in a search request to indicate that matching entries should include one or more aclRights attributes with the access control permissions that a given user may have when interacting with the entry. The control has an OID of 1.3.6.1.4.1.42.2.27.9.5.2, and it takes a value. The following fields may be present in the value-json representation of the value:

• authorization-id: A mandatory string field whose value is the authorization identity of the user for whom to make the access control determination.

• attributes: An optional array field whose values are the names of the attributes for which to calculate effective rights. If this is not provided, or if it is empty, then the default behavior calculates effective rights for all user attributes in the entry.

The following sample shows the JSON encoding for the control:

{ 
    "oid":"1.3.6.1.4.1.42.2.27.9.5.2",
    "control-name":"Get Effective Rights Request Control",
    "criticality":false,
    "value-json":{ 
        "authorization-id":"dn:uid=jdoe,ou=People,dc=example,dc=com",
        "attributes":[ 
            "uid",
            "mail",
            "telephoneNumber",
            "userPassword" 
            ] 
    } 
}