In our environment, employeeNumber is a sensitive field and we don't want it to be readable by all users. By default, IdM/IPA has a default permission System: Read User Addressbook Attributes which includes the employeeNumber attribute, but we removed it (using the IPA web interface). That had the unintended side affect of no longer allowing a user to view their own employeeNumber.
I know I can manually create an ACI ((targetattr = "employeeNumber")(version 3.0;acl "User: Read own employeeNumber";allow (read) userdn = "ldap:///self";)) that will give the user back this access to their own employeeNumber, but I would prefer to do this in the IPA interface. I can't seem to find any included option to give the user read-only access to something - even the Self Service settings, but that gives write access only, but not read access.
Use selfservice family of commands:
ipa selfservice-add 'user can read employeeNumber' --attrs=employeeNumber --permissions=read