# http://docs.oracle.com/cd/E19476-01/821-0509/aci-syntax-overview.html
 
# aci: (targetrule)... ( version 3.0; acl "name"; permissionBindRule;... )

# targetrule:
#	(target [!]= "ldap:///$DN") [,...]*
#	(targetattr [!]= "$ATTR-LIST") [,...]*
#	(targetfilter [!]= "$LDAP-FILTER") [,...]*
#	(targattrfilters [!]= "$EXPRESSION") [,...]*
#	(targetscope = "base|onelevel|subtree|subordinate")
#	(targetcontrol = "$OID") [,...]*
#	(extop [!]= "$OID") [,...]*

# name:
#	- human-readable description of what the ACI does

# permissionBindRule:
#	{allow|deny} (action[,...]) (subject[,...]); [...]*
#
#	action:
#		- what to allow or deny. Paired with subjects
#	subject:
#		- Identify clients to which the ACI applies depending on who connected,
#		  and when, where, and how they connected. Paired with permissions.

# target:
#	- entries, attributes, controls, and extended operations to which the ACI
#	  applies
#	- if not given, the entry holding this ACI will be affected
#	- If targetscope is also omitted, then this entry and all subordinates
#	  will be affected.
#	- multiple targets: AND