The ABNF syntax for LDAP ACIItem is as follows:

ACIItem = "{" sp aci_identificationTag
              sep sp aci-precedence
              sep sp aci-authenticationLevel
              sep sp aci-itemOrUserFirst sp "}"

aci_identificationTag   = id-identificationTag msp DirectoryString

aci-precedence          = id-precedence msp Precedence

aci-authenticationLevel = id-authenticationLevel msp AuthenticationLevel

aci-itemOrUserFirst = id-itemOrUserFirst msp aci-itemOrUserFirst

aci-itemOrUserFirst = aci-itemFirst / aci-userFirst

aci-itemFirst       = id-itemFirst ":" ItemFirst

aci-userFirst       = id-userFirst ":" UserFirst

ItemFirst = "{" sp aci-protectedItems
                sep sp aci-itemPermissions sp "}"

UserFirst = "{" sp aci-userClasses
                sep sp aci-userPermissions sp "}"

aci-protectedItems    = id-protectedItems msp ProtectedItems

aci-itemPermissions   = id-itemPermissions msp ItemPermissions

aci-userClasses       = id-userClasses msp UserClasses

aci-userPermissions   = id-userPermissions msp UserPermissions

ProtectedItems = "{" [ sp aci-entry]
                     [ sep sp aci-allUserAttributeTypes ]
                     [ sep sp aci-attributeType ]
                     [ sep sp aci-allAttributeValues ] 
                     [ sep sp aci-allUserAttributeTypesAndValues ]
                     [ sep sp aci-attributeValue ]
                     [ sep sp aci-selfValue ]
                     [ sep sp aci-rangeOfValues ]
                     [ sep sp aci-maxValueCount ]
                     [ sep sp aci-maxImmSub ]
                     [ sep sp aci-restrictedBy ]
                     [ sep sp aci-classes ] sp "}"

ItemPermissions = "{" [ sp ItemPermission
                        *( sep sp ItemPermission ) sp "}"

ItemPermission = "{" [ sp aci-precedence ]
                       sep sp aci-userClasses
                       sep sp aci-grantsAndDenials sp "}"

UserClasses = "{" [ sp aci-allUsers ]
                  [ sep sp aci-thisEntry ]
                  [ sep sp aci-Name ]
                  [ sep sp aci-userGroup ]
                  [ sep sp aci-subtree ] sp "}"

UserPermissions = "{" [ sp UserPermission
                        *( sep sp UserPermission ) ] sp "}" 

UserPermission = "{" [ sp aci-precedence ]
                       sep sp aci-protectedItems
                       sep sp aci-grantsAndDenials sp "}"

aci-entry                          = id-entry

aci-allUserAttributeTypes          = id-allUserAttributeTypes

aci-attributeType                  = id-attributeType msp AttributeTypes

aci-allAttributeValues             = id-allAttributeValues msp AttributeTypes

aci-allUserAttributeTypesAndValues = id-allUserAttributeTypesAndValues

aci-attributeValue                 = id-attributeValue msp AttributeTypeAndValues

aci-selfValue                      = id-selfValue msp AttributeTypes

aci-rangeOfValues                  = id-rangeOfValues msp Filter

aci-maxValueCount                  = id-maxValueCount msp MaxValueCount

aci-maxImmSub                      = id-maxImmSub msp INTEGER

aci-restrictedBy                   = id-restrictedBy msp RestrictedBy

aci-classes                        = id-classes msp Refinement

aci-grantsAndDenials               = id-grantsAndDenials msp GrantsAndDenials

aci-allUsers                       = id-allUsers

aci-thisEntry                      = id-thisEntry

aci-name                           = id-name msp DistinguishedNames

aci-userGroup                      = id-userGroup msp DistinguishedNames

aci-subtree                        = id-subtree msp SubtreeSpecifications

AttributeTypes = "{" sp AttributeType
                     *( sep sp AttributeType ) sp "}"
                     
AttributeTypeAndValues = "{" sp AttributeTypeAndValue
                             *( sep sp AttributeTypeAndValue ) sp "}"

MaxValueCount = "{" sp AttributeType
                    sep sp INTEGER sp "}"

RestrictedBy = "{" sp RestrictedValue
                   *( sep sp RestrictedValue ) sp "}"

GrantsAndDenials = "{" [ sp GrantAndDenialsBit
                         *( sep sp GrantAndDenialsBit ) ] sp "}"
                   ; WARNING: There SHALL NOT be any duplicates

DistinguishedNames = "{" sp DistinguishedName
                         *( sep sp DistinguishedName ) sp "}"
                        

SubtreeSpecifications = "{" sp SubtreeSpecification
                            *( sep sp SubtreeSpecification ) sp "}"

RestrictedValue = "{" sp aci-type
                      sep sp aci-valuesIn "}"

aci-type     = id-type msp AttributeType

aci-valuesIn = id-valuesIn msp AttributeType

Precedence   = INTEGER(1..255) ; FIXME: How shall we show this ?

AuthenticationLevel = id-none / id-simple / id-strong

GrantAndDenialsBit = id-grantAdd
                     / id-denyAdd
                     / id-grantDiscloseOnError
                     / id-denyDiscloseOnError
                     / id-grantRead
                     / id-denyRead
                     / id-grantRemove
                     / id-denyRemove
                     / id-grantBrowse
                     / id-denyBrowse
                     / id-grantExport
                     / id-denyExport
                     / id-grantImport
                     / id-denyImport
                     / id-grantModify
                     / id-denyModify
                     / id-grantRename
                     / id-denyRename
                     / id-grantReturnDN
                     / id-denyReturnDN
                     / id-grantCompare
                     / id-denyCompare
                     / id-grantFilterMatch
                     / id-denyFilterMatch
                     / id-grantInvoke
                     / id-denyInvoke

;MYRULE
;id-X = "X"
The Apache Directory Server way...

Apache Directory Server allows a fully flexible version of this grammar where order of named components and amount of spaces (where applicable) do not matter.