Usually an ACI has subtree scope. You can restrict the scope of an ACI by using the targetscope keyword with the following syntax:
where expression is one of the following:
The ACI applies to the target resource only.
The ACI applies to the target resource's first-generation children.
The ACI applies to the target resource and the subtree below it.
The ACI applies only to the subtree below the target resource.
If the targetscope is not specified, the default value is subtree. The following example restricts the ACI target match only to the entry with the distinguished name uid=bjensen,ou=People,dc=example,dc=com and any of the children one level below it:
(target = "ldap:///uid=bjensen,ou=People,dc=example,dc=com")(targetscope="onelevel")
Note - The not-equal operator is not supported for the targetscope keyword.