You can use dynamic groups for internal operations, such as ACI or component evaluation. The Directory Server performs the memberurl parsing and internal LDAP search; however, the internal search operation may not be performed with access control rules applied to it.

For example, the following dynamic group represents an organization’s employees within the same department:
dn: cn=department 202,ou=groups,dc=example,dc=com 
objectClass: top 
objectClass: groupOfURLs 
cn: department 202
owner: uid=user.1,ou=people,dc=example,dc=com 
owner: uid=user.2,ou=people,dc=example,dc=com 
memberURL: ldap:///ou=People,dc=example,dc=com??sub?
  (&(employeeType=employee)(departmentNumber=202)) 
description: Group of employees in department 202
The above group could be referenced from within the ACI at the dc=example,dc=com entry. For example:
dn:dc=example,dc=com
aci: (targetattr="employeeType")
  (version 3.0; acl "Grant write access to employeeType" ; 
    allow (all) groupdn="ldap:///cn=department 202,ou=groups,dc=example,dc=com";)

Any user matching the filter can bind to the server with their entry and modify the employeeType attribute within any entry under dc=example,dc=com.