Description
with the current wildcard-based glob restriction it's not possible to limit the effect of a single ACE to properties or nodes matching a given set of names.
examples:
- grant rep:readProperties privilege for properties named jcr:primaryType or jcr:mixinTypes (i.e. only default properties present with all jcr nodes such as defined by nt:base)
- grant rep:userManagement privilege only for items named rep:members (i.e. limit the effect that only members can be added or removed but other kind of user management action is denied)
- deny creation of child nodes named 'jcr:content' or 'content' or 'rep:content' or 'my:content'