ACI 1:
aci: (target="ldap:///ROOT_SUFFIX") (targetfilter=(!(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX))) (targetattr= "*") (version 3.0; acl "S1IS Top-level Help Desk Admin Role access allow"; allow (read,search) roledn = "ldap:///cn=Top-level Help Desk Admin Role,ROOT_SUFFIX";)
Members with Top-level Help Desk Admin role:
have permissions only to read or search all the entries under the default organization (root suffix node)
do not have read or search permissions to the entries of Top-Level Admin Role members.
ACI 2:
aci: (target="ldap:///ROOT_SUFFIX") (targetfilter=(!(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX))) (targetattr= "userPassword") (version 3.0; acl "S1IS Top-level Help Desk Admin Role access allow"; allow (write) roledn ="ldap:///cn=Top-level Help Desk Admin Role,ROOT_SUFFIX";)
Members with Top-Level Help Desk Admin role:
have write permission only to userPassword attribute for all members under the root suffix node/default organization
do not have any write permission to the userPassword entry of Top-Level Admin Role members