The following restrictions apply to ACIs
If your directory tree is distributed over several servers by using the chaining feature, the following restrictions apply to the use of keywords in access control statements:
ACIs that depend on the groupdn keyword must be located on the same server as the group entry. If the group is dynamic, then all members of the group must have an entry on the server too. If the group is static, the members’ entries can be located on remote servers.
ACIs that depend on the roledn keyword must be located on the same server as the role definition entry. Every entry that is intended to have the role must also be located on the same server.
Attributes generated by a CoS cannot be used in all ACI keywords. Specifically, you should not use attributes generated by CoS with the userattr and userdnattr keywords because the access control rule will not work.
Access control rules are always evaluated on the local server. You must not specify the hostname or port number of the server in LDAP URLs used in ACI keywords.
You cannot grant a user the right to proxy as the Directory Manager, nor can you grant proxy rights to the Directory Manager.
The cache settings used for ensuring that the server fits the physical memory available do not apply to ACI caches, which means that an excessive number of ACIs may saturate available memory.