The ACIs are stored in the aci operational attribute. The operational attribute can appear on any entry and affects the entry or any subentries within that branch of the directory information tree (DIT).

Access control instructions specify four items:

Resources are the targeted items or objects that specifies the set of entries and operations to which the access control instruction applies. For example, you can specify access to certain attributes, such as the cn or userPassword password.
Name is the descriptive label for each ACI. Typically, you have multiple ACIs for a given branch of your DIT. The access control name helps describe its purpose. For example, you can configure an ACI labeled "ACI to grant full access to administrators."
Clients are the users or entities to which you grant or deny access. You can specify individual users or groups of users using an LDAP URL. For example, you can specify a group of administrators using the LDAP URL: groupdn="ldap:///cn=admins,ou=groups,dc=example,dc=com."
Rights are permissions granted to users or client applications. You can grant or deny access to certain branches or operations. For example, you can grant read or write permission to a telephoneNumber attribute.