clarify the required access to add the suffix of a database (consequence of ITS#4552)

doc/man/man5/slapd.access.5

@@ -860,11 +860,13 @@ as the first access rule.
 As a consequence, unless the operation is performed with the 
 .B updatedn
 identity, control is passed straight to the subsequent rules.
+
 .SH OPERATION REQUIREMENTS
 Operations require different privileges on different portions of entries.
 The following summary applies to primary database backends such as
 the BDB and HDB backends.   Requirements for other backends may
 (and often do) differ.
+
 .LP
 The
 .B add
@@ -877,6 +879,10 @@ of the entry being added, and
 privileges on the pseudo-attribute
 .B children
 of the entry's parent.
+When adding the suffix entry of a database, write access to
+.B children
+of the empty DN ("") is required.
+
 .LP
 The 
 .B bind
@@ -884,12 +890,14 @@ operation, when credentials are stored in the directory, requires
 .B auth (=x)
 privileges on the attribute the credentials are stored in (usually
 .BR userPassword ).
+
 .LP
 The
 .B compare
 operation requires 
 .B compare (=c)
 privileges on the attribute that is being compared.
+
 .LP
 The
 .B delete
@@ -902,12 +910,14 @@ of the entry being deleted, and
 privileges on the
 .B children
 pseudo-attribute of the entry's parent.
+
 .LP
 The
 .B modify
 operation requires 
 .B write (=w)
 privileges on the attributes being modified.
+
 .LP
 The
 .B modrdn
@@ -927,6 +937,7 @@ privileges are also required on the attributes that are present
 in the old relative DN if 
 .B deleteoldrdn
 is set to 1.
+
 .LP
 The
 .B search
@@ -959,6 +970,7 @@ access to the attribute holding the referral information
 (generally the
 .B ref
 attribute).
+
 .LP
 Some internal operations and some
 .B controls