--On Monday, October 16, 2017 5:55 PM +0200 Ervin Hegedüs <airween(a)gmail.com&gt; wrote: >without any real testing, I'm afraid that the rule{0} gives the >write access to cn=groupabcadmin to _all_ db, not just the ou=ABC >Cumstomer subtree. > >Em I right? Hm, yes, that's correct. You'll need to do something like utilize by * break appropriately, or have multiple "access to userPassword" ACLs by group, then a catchall after that.