The server’s access control subsystem provides a way to examine each request that a client issues to determine whether it should be allowed.
It can also examine each search result entry to determine whether the client should be permitted to retrieve it at all, and if so, which attributes or even attribute values should be permitted.
The server’s access control policy is constructed from a set of access control
instructions (ACIs), also called access control rules. ACIs can be defined in user data
in the ACI operational attribute, and they can also be defined in the configuration in
global-aci property in the access control handler
The server’s access control policy denies all access by default. Unless there is an ACI that allows something, then no user who is subject to access control is permitted to perform the requested operation or retrieve the specified data. It is also possible to explicitly deny access to something, which overrides any permission that would have otherwise granted access to it.