Sun Internet Administrator needs the following kinds of access to do its work:
It needs to create and delete administrator information. Therefore, Sun Internet Administrator has write access to the portion of the DIT defined by the Administrators organizational unit entry.
It must be able to change certain administrator attributes (notably the userPassword and ispAuthorizedService attributes).
It must be able to control the creation of managed service entries (ispManagedService). Therefore, Sun Internet Administrator owns its own portion of the tree, below the top-level SUNWixamc entry (for example, ispVersion=1.0,ou=SUNWixamc,ou=Services,o=sun,c=us).
It needs to create the top-level service entries for services it registers and manages. Therefore, Sun Internet Administrator has the access and information it needs to write to that portion of the DIT (for example, ou=Services,o=sun,c=us).
It also needs to set the value of the protected ispPrivateData attribute on ispService entries. Therefore, Sun Internet Administrator has read/write access to that attribute of existing service entries. (In fact, no other entity has any access to the ispPrivateData attribute.)