ACI 1:
aci: (target="ldap:///ROOT_SUFFIX") (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX) (nsroledn=cn=Top-level Help Desk Admin Role,ROOT_SUFFIX) (nsroledn=cn=Top-level Policy Admin Role,ROOT_SUFFIX) (nsroledn=cn=Organization Admin Role,ORG_ROOT_SUFFIX))))(targetattr = "*") (version 3.0; acl "S1IS Organization Help Desk Admin Role access allow"; allow (read,search) roledn = "ldap:///cn=Organization Help Desk Admin Role,ORG_ROOT_SUFFIX";)
Members of Organization Help Desk Admin Role:
have read and search rights to all entries under the root suffix
do not have any rights to read or search the members who belong to Top-level Help Desk Admin Role, Top-level Policy Admin Role, and Organization Admin Role.
ACI 2:
aci: (target="ldap:///ROOT_SUFFIX") (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX) (nsroledn=cn=Top-level Help Desk Admin Role,ROOT_SUFFIX) (nsroledn=cn=Top-level Policy Admin Role,ROOT_SUFFIX) (nsroledn=cn=Organization Admin Role,ORG_ROOT_SUFFIX)))) (targetattr = "userPassword") (version 3.0; acl "S1IS Organization Help Desk Admin Role access allow"; allow (write) roledn = "ldap:///cn=Organization Help Desk Admin Role,ORG_ROOT_SUFFIX";)
Members of Organization Help Desk Admin Role:
have write permissions to the userPassword attribute for all users under the root suffix.
do not have write permissions to userPassword attribute for the members who belong to Top-level Help Desk Admin Role, Top-level Policy Admin Role, and Organization Admin Role.