The main idea of AACLS is relationship between entries. An AACL works with :
The AACL checks if the author and the target are linked through the relation. Of course the operation needs to be allowed on the specified attribute(s). The operation is allowed through the "rights" attribute.
By default, nothing is possible. Each AACL is tried successively. If one of them authorized the operation, the result is immediately sent back. When the AACLS server has tried each AACL with no authorization, it fails.
Both of the author and the target are described with a base and a filter. Only the base of the target is mandatory.