ACI “HR”

In LDIF, to grant the HR group all rights to the employee branch of the directory, you would use the following statement:

aci: (targetattr="*") (version 3.0; acl "HR"; allow (all)
  groupdn= "ldap:///cn=HRgroup,ou=Groups,dc=example,dc=com";)

This example assumes that the ACI is added to the following entry:

ou=People,dc=example,dc=com