As the number of access control rules increases, so does the potential costs of determining whether a client is allowed to request a given operation and of paring down search result entries based on the data that the client is permitted to access. In addtion, the server may need to re-evaluate all access control rules after certain update operations (including modify DN operations) to determine whether these may be affected by the change.

In many cases, deployments with an extremely large number of access control rules (especially those with large numbers of branches in which the same structure may be repeated across each of these branches) may be able to leverage parameterized ACIs to dramatically reduce the number of access control rules that need to be defined and evaluated. In other cases, it may be possible to refactor the access control configuration to achieve the same effect but with far fewer rules.