ACI 1:
aci: (target="ldap:///ROOT_SUFFIX") (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX)))) (targetattr = "*") (version 3.0; acl "S1IS Top-level Policy Admin Role access allow"; allow (read,search) roledn = "ldap:///cn=Top-level Policy Admin Role,ROOT_SUFFIX";)
Members with Top-level Policy Admin role:
have permissions only to read or search all the entries under the default organization (root suffix node)
do not have any read or search permissions to the entries of Top-Level Admin Role members
ACI 2:
aci: (target="ldap:///ou=iPlanetAMAuthService,ou=services,*ROOT_SUFFIX") (targetattr = "*") (version 3.0; acl "S1IS Top-level Policy Admin Role access Auth Service deny"; deny(add,write,delete) roledn = "ldap:///cn=Top-level Policy Admin Role,ROOT_SUFFIX";)
Members with Top-Level Policy Admin role do not have permissions to add, write, or delete all the entries under the authentication service. This authentication service iPlanetAMAuthService is in the services node of the default organization (root suffix node). This ACI will also be enforced in the sub-organizations created under the default organization.
ACI 3:
aci: (target="ldap:///ou=services,*ROOT_SUFFIX")(targetattr = "*") (version 3.0; acl "S1IS Top-level Policy Admin Role access allow"; allow (all) roledn = "ldap:///cn=Top-level Policy Admin Role,ROOT_SUFFIX";)
Members with Top-Level Policy Admin role have all permissions to read, modify, search, add, write, or delete to all the entries of all services under the default organization (root suffix node). But based on the ACI #2 above, this Top-Level Policy Admin does not have add, write, or delete permissions for authentication service. This ACI will also be enforced in the sub-organizations created under the default organization.
ACI 4:
aci:(target="ldap:///ROOT_SUFFIX") (targetfilter="(objectclass=ORG_OBJECT_CLASS)") (targetattr = "sunRegisteredServiceName") (version 3.0; acl "S1IS Top-level Policy Admin Role access allow"; allow (read,write,search) roledn = "ldap:///cn=Top-level Policy Admin Role,ROOT_SUFFIX";)
Members with Top-Level Policy Admin role have permissions to read, write, or search the attribute sunRegisteredServicename of all entries with the object class that matches the ORG_OBJECT_CLASS.
For example:
aci: (target="ldap:///dc=iplanet,dc=com") (targetfilter="(objectclass=sunmanagedorganization)") (targetattr = "sunRegisteredServiceName") (version 3.0; acl "S1IS Top-level Policy Admin Role access allow"; allow (read,write,search) roledn = "ldap:///cn=Top-level Policy Admin Role,dc=iplanet,dc=com";)