# # discard - Removal disables the associated privileges to the attribute # iplanetam-modifiable-by # aci: (target=”ldap:///$rootSuffix”) (targetattr!=”nsroledn”) (version 3.0; acl “S1IS Group admin’s right to the users he creates”; allow (all) userattr = “iplanet-am-modifiable-by#ROLEDN”;)