ACI 1:
aci: (target="ldap:///($dn),ROOT_SUFFIX") (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX) (nsroledn=cn=Top-level Help Desk Admin Role,ROOT_SUFFIX) (nsroledn=cn=Top-level Policy Admin Role,ROOT_SUFFIX)))) (targetattr != "nsroledn")(version 3.0; acl "S1IS Organization Admin Role access allow all"; allow (all) roledn = "ldap:///cn=Organization Admin Role,[$dn],ORG_ROOT_SUFFIX";)
This ACI gives all permissions to the members who belong to the Organization Admin Role. Members of Organization Admin Role have 'all' permissions to all the entries and attributes for that organization on the organization entry. But the 'all' access is not applied to the nsroledn attribute where the values are Top-level Admin Role, Top-level Help Desk Admin Role, Top-level Policy Admin Role.
In other words, members of Organization Admin Role cannot read, write, delete, modify, or searchthe directory entries of Top-level Admin, Top-level Help Desk Admin, and Top-level Policy Admin. But members of Organization Admin Role have permission to modify the nsroledn attribute in their own profiles; however, they cannot assign the following values to the nsroledn attribute:
Top-level Admin Role
Top-level Help Desk Admin Role
Top-level Policy Admin Role
ACI 2:
aci: (target="ldap:///cn=Organization Admin Role,($dn),ORG_ROOT_SUFFIX") (targetattr="*")(version 3.0; acl "S1IS Organization Admin Role access deny"; deny (write,add,delete,compare,proxy) roledn = "ldap:///cn=Organization Admin Role,($dn),ORG_ROOT_SUFFIX";)
Members of Organization Admin Role are denied write, add, delete, compare, or proxy permissions to all the attributes for that organization admin role entry.
ACI #1 allows all modification of everything under the sub-tree in which the role exists, except being able to edit users with the top level admin and top level help desk admin roles.
ACI #2 prevents organization admins from modifying their attributes. ACI #2 is needed so that Org Admin role can give roles to users that are strictly defined only under this sub-tree.