The dpsaci attribute resembles the Directory Server aci attribute in syntax and behavior. For a description of Directory Server ACI syntax, see How Directory Server Provides Access Control.
The following list describes the differences between virtual ACIs and Directory Server ACIs.
Target keywords. Only the target, targetAttr and targetScope keywords are supported.
Permission keywords. The All access write does not permit selfwrite operations.
Bind rule subject. For performance reasons, virtual ACIs do not support the ldap:///suffix??sub?(filter) as a value for the userdn keyword.
Bind rule context. Virtual ACIs do not support SASL authentication. In addition, the ip keyword does not support subnet masks.