I am struggling to find documentation on how to use the cn=config syntax for delegating a subdomain to a group of users.

In my situation, I have an OU setup for customer accounts. (ou=subdomain,ou=People,dc=example,dc=com).   I can currently edit that if I log in as a user that is our admin OU, ou=admins,dc=example,dc=com.  However, I don't want to give our front facing support that much access. 

basically, I want the following:
 - any user can update their info.
 - anyone in ou=admin can update anything
 - anybody in group cn=cust_support,ou=group,dc=example,dc=com can do anything to anyone in the ou=subdomain,ou=People OU. (create/edit/update/delete)

However, I am struggling to get the syntax right. I have tried many permutations, and the most recent example was to use these rules for setting olcAccess in the o=config database:

{0}to attrs=userPassword by self write by anonymous auth by dn.children="ou=admins,dc=example,dc=com" write by group.exact="cn=cust_support,ou=group,dc=example,dc=com" write by * none
{1}to dn.subtree="ou=subdomain,ou=People,dc=example,dc=com" by self write by dn.children="ou=admins,dc=example,dc=com" write by group.exact="cn=cust_support,ou=group,dc=example,dc=com" write by * read
{2}to * by self write by dn.children="ou=admins,dc=example,dc=com" write by * read

I have tried making cn=cust_support,ou=group,dc=example,dc=com both a posixGroup, and a groupOfNames.  Both of them, when I go to save a new users, I get "insufficient access"

If anyone could guide me in the correct direction, it would be greatly appreciated..
thanks!

Brian