Give ACL based on an LDAP filter
The point is to be able to automagically give ACL rights on a department to its manager.
Using a filter like (&(objectClass=organizationalUnit)(manager=%dn%))
as target for an ACL assignment would answer this problem