We would like to be able to "fail fast" when searching the changelog. Currently this is not possible due to ACI checks only being carried out for search candidates.
Adding a new privilege required for accessing the changelog would solve this. It would also simplify a number of default global ACI rules.
This new privilege would be somewhat analogous to the current config-read privilege.
We may want to also require this privilege when checking for persistent searches as well.
If we used it for psearches as well as cn=changelog access, "changes-read" might be an appropriate name.