ACI 1 example:
aci=(target="ldap:///ou=People,dc=iplanet,dc=com") (targetattr="nsroledn") (targattrfilters="add=nsroledn:(!(nsroledn=*)),del=nsroledn:(!(nsroledn=*))") (version 3.0; acl "Group admin's right to add user to people container"; allow (add) roledn ="ldap:///cn=cn=blach_ou=Groups_dc=iplanet_dc=com,dc=iplanet,dc=com";)
ACI 2 example:
aci=(target="ldap:///cn=blach,ou=Groups, dc=iplanet,dc=com") (targetattr = "*") (version 3.0; acl "Group and people container admin role"; allow (all) roledn = "ldap:///cn=cn=blach_ou=Groups_dc=iplanet_dc=com,dc=iplanet,dc=com";)
ACI 3 example:
aci=(target="ldap:///dc=iplanet,dc=com") (targetfilter=(!(|(!(|(memberof=*cn=blach,ou=Groups, dc=iplanet,dc=com) (iplanet-am-static-group-dn=*cn=blach,ou=Groups,dc=iplanet,dc=com))) (|(nsroledn=cn=Top-level Admin Role,dc=iplanet,dc=com) (nsroledn=cn=Top-level Help Desk Admin Role,dc=iplanet,dc=com) (nsroledn=cn=Top-level Policy Admin Role,dc=iplanet,dc=com) (nsroledn=cn=Organization Admin Role,dc=iplanet,dc=com) (nsroledn=cn=Container Admin Role,dc=iplanet,dc=com) (nsroledn=cn=Organization Policy Admin Role,dc=iplanet,dc=com))))) (targetattr != "iplanet-am-web-agent-access-allow-list ||iplanet-am-web-agent-access-not-enforced-list || iplanet-am-domain-url-access-allow || iplanet-am-web-agent-access-deny-list || nsroledn") (version 3.0; acl "Group admin's right to the members"; allow (read,write,search) roledn = "ldap:///cn=cn=blach_ou=Groups_dc=iplanet_dc=com,dc=iplanet,dc=com";)