The following ACI allows an employee's manager to edit the value of the employee's
telephoneNumber
attribute. This ACI uses the
userattr
keyword with a bind type of USERDN
, which
indicates that the target entry’s manager attribute must have a value equal to the
distinguished name (DN) of the authenticated user.
aci: (targetattr="telephoneNumber")
(version 3.0; acl "A manager can update telephone numbers of her direct reports";
allow (read,search,compare,write) userattr="manager#USERDN";)