In LDIF, to grant Example.com employees the right to add any role to their own entry, except the superAdmin role, you would write the following statement:
aci: (targetattr="*") (targattrfilters="add=nsRoleDN: (nsRoleDN !="cn=superAdmin, dc=example, dc=com")") (version 3.0; acl "Roles"; allow (write) userdn= "ldap:///self" ;) |
This example assumes that the ACI is added to the ou=People,dc=example, dc=com entry.