[Fedora-directory-users] roles and access control

[Gary Mann <accounts sienna-sys com>]

a question:  we have a requirement where only users that have a role are 
able to see role membership.  so if i have role A, i can see the 
membership for role A (search on nsRole=<roleA>) but cannot necessarily 
see role B members, etc.  the same restriction applies when pulling the 
nsRole attribute.

is there any way (via aci) to support this?  i've implemented a plugin 
(actually 2 - a computed attribute and preop) that supports this but 
wanted to make sure that i wasn't missing something in aci setup that 
would accomplish the same thing.

Thanks,
Gary