I've got a kind of ugly annoying ACL problem I can't seem to get my head around solving ...

We've got our users, inactive users, addressbooks etc all under ou=contacts ie: ou=users,ou=contacts ou=inactive_users,ou=contacts ou=clients,ou=contacts

The conditions the ACL needs to meet (below example isn't there yet). * A user can edit some of their own attributes * A member of the studio group can edit all of above + a few extra attributes * A member of the tech group can edit pretty much anything * Different "address books" can be made viewable only by certain groups (not implemented yet pretty easy though access to dn.children="ou=users,ou=contacts,dc=rsp,dc=com,dc=au" by group blah write by group otherblah read by * none)

My problem at the moment is the amount of duplication of the who rules. Also that I don't necessarily want to give the studio group access to edit anything in say ou=clients,ou=contacts but I do want to for ou=users,ou=contacts - mixing and matching the whats is kinda doing my head in :-) almost need a way to have a what that id both dn.children and attrs but that doesn't seem to be allowed ...

access to attrs="telephoneNumber,l,mobile,mozillaSecondEmail,homePostalAddress,displayName" by group="cn=tech,ou=authgroups,dc=rsp,dc=com,dc=au" write by group="cn=studio,ou=authgroups,dc=rsp,dc=com,dc=au" write by self write by * read access to dn.children="ou=users,ou=contacts,dc=rsp,dc=com,dc=au" by group="cn=tech,ou=authgroups,dc=rsp,dc=com,dc=au" write by group="cn=studio,ou=authgroups,dc=rsp,dc=com,dc=au" write by * read access to * by * read

Any help in "simplifying" this is greatly appreciated as this is only the beginning of stuff I'm being asked to implement :-)

TIA Shane.