Multivalued restriction to limit effect of ACE to items with a given name

with the current wildcard-based glob restriction it's not possible to limit the effect of a single ACE to properties or nodes matching a given set of names.

examples:

• grant rep:readProperties privilege for properties named jcr:primaryType or jcr:mixinTypes (i.e. only default properties present with all jcr nodes such as defined by nt:base)
• grant rep:userManagement privilege only for items named rep:members (i.e. limit the effect that only members can be added or removed but other kind of user management action is denied)
• deny creation of child nodes named 'jcr:content' or 'content' or 'rep:content' or 'my:content'