Creating a User with REST, how to apply LDAP ACLs the best way?

currently i am testing to create users via REST-API, which is working great as Administrator, because i dont want such a powerfull user in that case i was thinking about an extra user for this case

This user should only be able to manage all objects withing a specific dn

access to dn.subtree=“cn=b4a,ou=customer,dc=bbc,dc=local”
by dn.base=“uid=udm_camunda_rest,cn=technische-user,cn=intern,cn=best-blu,dc=bbc,dc=local” manage

I can now add users there with

root@master:/opt# ldapadd -x -W -D “uid=udm_camunda_rest,cn=technische-user,cn=intern,cn=best-blu,dc=bbc,dc=local” -f adam.ldif
Enter LDAP Password:
adding new entry “uid=adam,cn=b4a,ou=customer,dc=bbc,dc=local”

When using the REST-API i also have to grant access to

access to dn.subtree=“cn=temporary,cn=univention,dc=bbc,dc=local”
by dn.base=“uid=udm_camunda_rest,cn=technische-user,cn=intern,cn=best-blu,dc=bbc,dc=local” manage

But now i am facinf issues with all others users (Administrator cant edit users anymore, because he is not allowed to edit entryis within cn=temporary,cn=univention,dc=bbc,dc=local

For me it is hard to decide where to put htese LDAP ACLs

I found artciles here about putting them in slapd.conf (via UCR Template), there was a cool solution article as well but its not availavle in 4.4.7 and i found some objetc types called LDAP ACL in UDM. I am not sure what is the correct way to applie additional ldap acls.

Is there something else (and easier) for the rest-api to create users and not using the domain admin-account on that?

Would be interesting to see how others are working with the REST-API

I’m interested in this as well. It’s not super urgent, but it would be nice if Univention could make it easier to follow the Principle of least privilege when using the REST-API.