Technical Note: Sun Java System Access Manager ACI Guide

Deny Write Access Role ACIs

ACI 1:

aci: (targetattr = "*")
(version 3.0; acl "S1IS Deny write to anonymous user"; deny (add,write,delete) 
roledn ="ldap:///cn=Deny Write Access,ROOT_SUFFIX";)

Members of the Deny Write Access role (that is, anonymous users) do not have add, write, or delete rights to all entries under the root suffix. Anonymous users are allowed only to search and read entries.