Permissions indicate the types of operations to which an access control rule might apply. You can specify if the user or group of users are allowed or not allowed to carry out a specific operation. For example, you would grant read access to a targeted entry or entries using "allow (read)" permission. Or you can specifically deny access to the target entries and/or attributes using the "deny (read)" permission. You can list out multiple permissions as required in the ACI.

            
               allow (permission1 ...,
               permission2
               ,...permissionN)
         
            
               deny (permission1 ...,
               permission2
               ,...permissionN)
         

The following keywords are supported for use in the permissions portion of ACIs:

Permission Description
add Indicates that the access control should apply to add operations.
compare Indicates that the access control should apply to compare operations, as well as to search operations with a base-level scope that targets a single entry.
delete Indicates that the access control should apply to delete operations.
export Indicates that the access control should only apply to modify DN operations in which an entry is moved below a different parent by specifying a new superior DN in the modify DN request. The requestor must have the export permission for operations against the entry's original DN. The requestor must have the import permission for operations against the entry's new superior DN. For modify DN operations that merely alter the RDN of an entry but keeps it below the same parent (i.e., renames the entry), only the write permission is required. This is true regardless of whether the entry being renamed is a leaf entry or has subordinate entries.
import See the description for the export permission.
proxy Indicates that the access control rule should apply to operations that attempt to use an alternate authorization identity (for example, operations that include a proxied authorization request control, an intermediate client request control with an alternate authorization identity, or a client that has authenticated with a SASL mechanism that allows an alternate authorization identify to be specified).
read Indicates that the access control rule should apply to search result entries returned by the server.
search Indicates that the access control rule should apply to search operations with a non-base scope.
selfwrite Indicates that the access control rule should apply to operations in which a user attempts to add or remove his or her own DN to the values for an attribute (for example, whether users may add or remove themselves from groups).
write Indicates that the access control rule should apply to modify and modify DN operations.
all An aggregate permission that includes all other permissions except “proxy.” This is equivalent to providing a permission of “add, compare, delete, read, search, selfwrite, write, export, and import.”