The access control model uses access control instructions (ACIs), which are stored in the aci operational attribute, to determine what a user or a group of users can do with a set of entries, down to the attribute level. The operational attribute can appear on any entry and affects the entry or any subentries within that branch of the directory information tree (DIT).

Access control instructions specifies four items:
  • Resources. Resources are the targeted items or objects that specifies the set of entries and/or operations to which the access control instruction applies. For example, you can specify access to certain attributes, such as the cn or userPassword password.
  • Name. Name is the descriptive label for each access control instruction. Typically, you will have multiple access control instructions for a given branch of your DIT. The access control name helps describe its purpose. For example, you can configure an access control instructions labelled "ACI to grant full access to administrators."
  • Clients. Clients are the users or entities to which you grant or deny access. You can specify individual users or groups of users using an LDAP URL. For example, you can specify a group of administrators using the LDAP URL: groupdn="ldap:///cn=admins,ou=groups,dc=example,dc=com."
  • Rights. Rights are permissions granted to users or client applications. You can grant or deny access to certain branches or operations. For example, you can grant read or write permission to a telephoneNumber attribute.