Inside - one repository - Assuming a [/] which has more relaxed access controls that a [/foo/bar/ accounting] which is restricted to a few people than the controls of the latter affect the first group. You'd expect that all, including those with the wider access controls to be able to check out everything but /foo/bar/accounting - and that only those with the 'staff' bit to be able to also check out /foo/bar/ accounting. A work around is a separate repository for each access level. Which does not allow for matrix ACL's. Dw.
Original issue reported by dirkx