ACI 1:
aci: (target="ldap:///ROOT_SUFFIX") (targetattr="*") (version 3.0; acl "S1IS Top-level admin rights"; allow (all) roledn = "ldap:///cn=Top-level Admin Role,ROOT_SUFFIX"; )
Members of this specific role (cn=Top-level Admin Role) have all rights to all entries of the targeted resource ROOT_SUFFIX. The Top-Level Admin Role members can delete/read/modify/write to or from all entries under the top node. ROOT_SUFFIX is the root node.
ACI 2:
aci: (target="ldap:///cn=amldapuser,ou=DSAME Users,ORG_ROOT_SUFFIX") (targetattr = "*") (version 3.0; acl "S1IS special ldap auth user modify right"; deny (write) roledn !="ldap:///cn=Top-level Admin Role,ROOT_SUFFIX";)
Members of this specific role (cn=Top-level Admin Role) can modify/write all entries of the targeted resource, (cn=amldapuser). In other words:
modify/write access to the targeted entry (cn=amldapuser) is granted for the user who binds using a DN that belongs to the Top-Level Admin Role
modify/write access to the targeted entry (cn=amldapuser) is denied if the user is not bound using a DN that belongs to the Top-Level Admin role