The PingDirectory server performs the memberurl parsing and internal LDAP search. However, the internal search operation cannot be performed with access control instructions applied to it.

For example, the following dynamic group represents an organization’s employees within the same department.

dn: cn=department 202,ou=groups,dc=example,dc=com 
objectClass: top 
objectClass: groupOfURLs 
cn: department 202
owner: uid=user.1,ou=people,dc=example,dc=com 
owner: uid=user.2,ou=people,dc=example,dc=com 
memberURL: ldap:///ou=People,dc=example,dc=com??sub?
  (&(employeeType=employee)(departmentNumber=202)) 
description: Group of employees in department 202

The above group could be referenced from within the ACI at the dc=example,dc=com entry, as in the following example.

dn:dc=example,dc=com
aci: (targetattr="employeeType")
  (version 3.0; acl "Grant write access to employeeType" ; 
    allow (all) groupdn="ldap:///cn=department 202,ou=groups,dc=example,dc=com";)

Any user matching the filter can bind to the server with their entry and modify the employeeType attribute within any entry under dc=example,dc=com.