access to dn.sub="ou=Group,dc=example,dc=com"
   by users read break

access to dn.regex="^(cn=[^,]+,ou=Group,dc=example,dc=com)" attrs=member
   by group.expand="$1" self+z
   by group/UDBgrp/UDBgrpInvited.expand="$1" self+a
   by group/UDBgrp/UDBgrpAdmin.expand="$1" +z
   by group/UDBgrp/UDBgrpSuspended.expand="$1" self+a
   by users read

access to dn.regex="^(cn=[^,]+,ou=Group,dc=example,dc=com)" attrs=UDBgrpInvited
   by group/UDBgrp/UDBgrpInvited.expand="$1" self+z
   by group/UDBgrp/UDBgrpAdmin.expand="$1" +az
   by users read

access to dn.regex="^(cn=[^,]+,ou=Group,dc=example,dc=com)" attrs=UDBgrpSuspended
   by group.expand="$1" self+a
   by group/UDBgrp/UDBgrpSuspended.expand="$1" self+z
   by group/UDBgrp/UDBgrpAdmin.expand="$1" +z
   by users read

access to dn.regex="^(cn=[^,]+,ou=Group,dc=example,dc=com)" attrs=UDBgrpAdmin
   by group/UDBgrp/UDBgrpAdmin.expand="$1" write
   by users read 

access to dn.regex="^(cn=[^,]+,ou=Group,dc=example,dc=com)" attrs=description
   by group/UDBgrp/UDBgrpAdmin.expand="$1" write
   by users read

access to dn.exact="ou=Group,dc=example,dc=com" attrs=children
   by users write

# The 'filter' prevents the creation of any non-group objects
access to dn.regex="^(cn=[^,]+,ou=Group,dc=example,dc=com)" attrs=entry filter="(&(objectClass=groupOfNames)(objectClass=UDBgrp))"
   by group/UDBgrp/UDBgrpAdmin.expand="$1" write
   by users add