You can do this with the following configuration change.

dsconfig set-log-publisher-prop \
     --publisher-name "Debug ACI Logger" \
     --set enabled:true

After you enable it, this logger records information about its access control decisions to the logs/debug-aci file. Because the server can write huge amounts of data to this file on a busy production server, you might want to try this on a separate instance that has been populated with the same set of access control rules. Alternatively, you can configure the logger with criteria that only matches the operations you are trying to investigate.