Consider a group of names, with "member" and "owner" attributes. We want the "owner" to be able to administrate the group, "members" to be able to subscribe/unsuscribe freely, and some applications located under the "ou=Apps,dc=example,dc=com" node to be able to read "members" to fulfil their task. A possible solution is:

access to dn.exact="cn=My Group,ou=Groups,dc=example,dc=com"
                attrs=member
        by dnattr=owner write
        by dnattr=member selfwrite
        by dn.children="ou=Apps,dc=example,dc=com" read