Regarding "broken ACI concept" - does any rfc speaks something about concept of dynamically assigned priviledges to ldap directory entries? Or does it recommend avoiding such policies? Regards, Piotr