The ACI attributes store data following a specific structure, which is define by this grammar :
<wrapperEntryPoint> ::= <SP*> '{' <SP*> <mainACIItemComponent> <SP*> <mainACIItemComponents> '}' <SP*> EOF <mainACIItemComponents> ::= ',' <SP*> <mainACIItemComponent> <SP*> <mainACIItemComponents> | e ** Note : we have to allow only one of each option <mainACIItemComponent> ::= "identificationTag" <SP+> SAFEUTF8STRING | "precedence" <SP+> INTEGER | "authenticationLevel" <SP+> <authenticationLevel> | "itemOrUserFirst" <SP+> <itemOrUserFirst> <authenticationLevel> ::= "none" | "simple" | "strong" <itemOrUserFirst> ::= "itemFirst" <SP*> ':' <SP*> '{' <SP*> <itemType> <SP*> '}' | "userFirst" <SP*> ':' <SP*> '{' <SP*> <userType> <SP*> '}' <itemType> ::= "protectedItems" <SP*> '{' <SP*> <protectedItem?> '}' <SP*> ',' <SP*> '{' <SP*> <anyItemPermission> <SP*> <anyItemPermission*> '}' | "itemPermissions" <SP+> '{' <SP*> <itemPermissions?> '}' <SP*> ',' <SP*> "protectedItems" <SP*> '{' <SP*> <protectedItem?> '}' <userType> ::= "userClasses" <SP+> '{' <SP*> <userClass?> '}' <SP*> ',' <SP*> '{' <SP*> <anyUserPermission> <SP*> <anyUserPermission*> '}' | "userPermissions" <SP+> '{' <SP*> <userPermissions?> '}' <SP*> ',' <SP*> "userClasses" <SP+> '{' <SP*> <userClass?> '}' <protectedItem?> ::= <protectedItem> <SP*> <protectedItem*> | e <protectedItem*> ::= ',' <SP*> <protectedItem> <SP*> <protectedItem*> | e <protectedItem> ::= "entry" | "allUserAttributeTypes" | "attributeType" <SP+> '{' <SP*> <oid> <SP*> <oids> '}' | "allAttributeValues" <SP+> '{' <SP*> <oid> <SP*> <oids> '}' | "allUserAttributeTypesAndValues" | ATTRIBUTE_VALUE_CANDIDATE | "selfValue" <SP+> '{' <SP*> <oid> <SP*> <oids> '}' | RANGE_OF_VALUES_CANDIDATE | "maxValueCount" <SP+> '{' <SP*> '{' <SP*> <valueCountType> <SP*> '}' <SP*> <maxValueCount*> '}' | "maxImmSub" <SP+> INTEGER | "restrictedBy" <SP+> '{' <SP*> '{' <SP*> <typeValueIn> <SP*> '}' <SP*> <restrictedValue*> '}' | "classes" <SP+> <refinement> <maxValueCount*> ::= ',' <SP*> '{' <SP*> <valueCountType> <SP*> '}' <SP*> <maxValueCount*> | e <valueCountType> ::= "type" <SP+> <oid> <SP*> ',' <SP*> "maxCount" <SP+> INTEGER | "maxCount" <SP+> INTEGER <SP*> ',' <SP*> "type" <SP+> <oid> <restrictedValue*> ::= ',' <SP*> '{' <SP*> <typeValueIn> <SP*> '}' <SP*> <restrictedValue*> | e <typeValueIn> ::= "type" <SP+> <oid> <SP*> ',' <SP*> "valuesIn" <SP+> <oid> | "valuesIn" <SP+> <oid> <SP*> ',' <SP*> "type" <SP+> <oid> <oids> ::= ',' <SP*> <oid> <SP*> <oids> | e <itemPermissions?> ::= '{' <SP*> <anyItemPermission> <SP*> <anyItemPermission*> '}' <SP*> <itemPermissions*> | e <itemPermissions*> ::= ',' <SP*> '{' <SP*> <anyItemPermission> <SP*> <anyItemPermission*> '}' <SP*> <itemPermissions*> | e <anyItemPermission*> ::= ',' <SP*> <anyItemPermission> <SP*> <anyItemPermission*> | e <anyItemPermission> : "precedence" <SP+> <INTEGER> | "userClasses" <SP+> '{' <SP*> <userClass?> '}' | "grantsAndDenials" <SP+> '{' <SP*> <grantAndDenial?> '}' <grantAndDenial?> ::= <grantAndDenial> <SP*> <grantAndDenial*> | e <grantAndDenial*> ::= ',' <SP*> <grantAndDenial> <SP*> <grantAndDenial*> <grantAndDenial> : "grantAdd" | "denyAdd" | "grantDiscloseOnError" | "denyDiscloseOnError" | "grantRead" | "denyRead" | "grantRemove" | "denyRemove" | "grantBrowse" | "denyBrowse" | "grantExport" | "denyExport" | "grantImport" | "denyImport" | "grantModify" | "denyModify" | "grantRename" | "denyRename" | "grantReturnDN" | "denyReturnDN" | "grantCompare" | "denyCompare" | "grantFilterMatch" | "denyFilterMatch" | "grantInvoke" | "denyInvoke" <userClass?> ::= <userClass> <SP*> <userClass*> | e <userClass*> ::= ',' <SP*> <userClass> <SP*> <userClass*> | e <userClass> : "allUsers" | "thisEntry" | "parentOfEntry" | "name" <SP+> '{' <SP*> <distinguishedName> <SP*> <name*> '}' | "userGroup" <SP+> '{' <SP*> <distinguishedName> <SP*> <userGroup*> '}' | "subtree" <SP+> '{' <SP*> '{' <SP*> <subtreeSpecificationComponent?> '}' <SP*> <subTree*> '}' <name*> ::= ',' <SP*> <distinguishedName> <SP*> <name*> | e <userGroup*> ::= ',' <SP*> <distinguishedName> <SP*> <userGroup*> | e <subTree*> ::= ',' <SP*> '{' <SP*> <subtreeSpecificationComponent?> '}' <SP*> <subTree*> | e <userPermissions?> ::= '{' <SP*> <anyUserPermission> <SP*> <anyUserPermission*> '}' <SP*> <userPermissions*> | e <userPermissions*> ::= ',' <SP*> '{' <SP*> <anyUserPermission> <SP*> <anyUserPermission*> '}' <SP*> <userPermissions*> | e <anyUserPermission*> ::= ',' <SP*> <anyUserPermission> <SP*> <anyUserPermission*> | e <anyUserPermission> : "precedence" <SP+> <INTEGER> | "protectedItems" <SP*> '{' <SP*> <protectedItem?> '}' | "grantsAndDenials" <SP+> '{' <SP*> <grantAndDenial?> '}' <subtreeSpecificationComponent?> ::= <subtreeSpecificationComponent> <SP*> <subtreeSpecificationComponent*> | e <subtreeSpecificationComponent*> ::= ',' <SP*> <subtreeSpecificationComponent> <SP*> <subtreeSpecificationComponent*> | e <subtreeSpecificationComponent> : "base" <SP+> <distinguishedName> | "specificExclusions" <SP+> '{' <SP*> <specificExclusion?> '}' | "minimum" <SP+> INTEGER | "maximum" <SP+> INTEGER <specificExclusion?> ::= <specificExclusion> <SP*> <specificExclusion*> | e <specificExclusion*> ::= ',' <SP*> <specificExclusion> <SP*> <specificExclusion*> | e <specificExclusion> ::= "chopBefore" <SP*> ':' <SP*> <distinguishedName> | "chopAfter" <SP*> ':' <SP*> <distinguishedName> <refinement> ::= "item" <SP*> ':' <SP*> <oid> | "and" <SP*> ':' <SP*> '{' <refinements?> '}' | "or" <SP*> ':' <SP*> '{' <refinements?> '}' | "not" <SP*> ':' <SP*> '{' <refinements?> '}' <refinements?> ::= <SP*> <refinements?> <SP*> <refinement*> | e <refinement*> ::= ',' <SP*> <refinement> <SP*> <refinement*> | e <distinguishedName> ::= SAFEUTF8STRING <oid> ::= DESCR | NUMERICOID SAFEUTF8CHAR : '\u0001'..'\u0021' | '\u0023'..'\u007F' | '\u00c0'..'\u00d6' | '\u00d8'..'\u00f6' | '\u00f8'..'\u00ff' | '\u0100'..'\u1fff' | '\u3040'..'\u318f' | '\u3300'..'\u337f' | '\u3400'..'\u3d2d' | '\u4e00'..'\u9fff' | '\uf900'..'\ufaff' ; <SP+> ::= <SP> <SP*> <SP*> ::= <SP> <SP*> | e <SP> ::= ' ' | '\t' | '\n' | '\r' ; ALPHA : 'A'..'Z' | 'a'..'z' ; <INTEGER> ::= <DIGIT> | <LDIGIT> <DIGIT> <DIGIT*> <DIGIT> ::= '0' | <LDIGIT> ; <LDIGIT> ::= '1'..'9' ; <DIGIT*> ::= <DIGIT> <DIGIT*> | e HYPHEN : '-' ; NUMERICOID : INTEGER ( DOT INTEGER )+ ; DOT : '.' ; INTEGER_OR_NUMERICOID : ( INTEGER DOT ) => NUMERICOID | INTEGER SAFEUTF8STRING : '"'! ( SAFEUTF8CHAR )* '"'! ; DESCR : ( "attributeValue" ( SP! )+ '{' ) => "attributeValue"! ( SP! )+ '{'! ( options : . )* '}'! | ( "rangeOfValues" ( SP! )+ '(' ) => "rangeOfValues"! ( SP! )+ FILTER | ALPHA ( ALPHA | DIGIT | HYPHEN )* ; FILTER : '(' ( ( '&' (SP)* (FILTER)+ ) | ( '|' (SP)* (FILTER)+ ) | ( '!' (SP)* FILTER ) | FILTER_VALUE ) ')' (SP)* ; FILTER_VALUE : (options: ~( ')' | '(' | '&' | '|' | '!' ) ( ~(')') )* ) ;