Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition

ACI “Roles”

In LDIF, to grant employees the right to add any role to their own entry, except the superAdmin role, you would write the following statement:

aci: (targetattr="*") (targattrfilters="add=nsRoleDN:
 (nsRoleDN !="cn=superAdmin, dc=example, dc=com")")
 (version 3.0; acl "Roles"; allow (write)
 userdn= "ldap:///self" ;)

This example assumes that the ACI is added to the ou=People,dc=example, dc=com entry.