ACL redundancy

[Shane <squindler@gmail.com>]

I've got a kind of ugly annoying ACL problem I can't seem to get my
head around solving ...

We've got our users, inactive users, addressbooks etc all  under ou=contacts ie:
 ou=users,ou=contacts
 ou=inactive_users,ou=contacts
 ou=clients,ou=contacts

The conditions the ACL needs to meet (below example isn't there yet).
* A user can edit some of their own attributes
* A member of the studio group can edit all of above + a few extra attributes
* A member of the tech group can edit pretty much anything
* Different "address books" can be made viewable only by certain
groups (not implemented yet pretty easy though access to
dn.children="ou=users,ou=contacts,dc=rsp,dc=com,dc=au" by group blah
write by group otherblah read by * none)

My problem at the moment is the amount of duplication of the who
rules. Also that I don't necessarily want to give the studio group
access to edit anything in say ou=clients,ou=contacts but I do want to
for ou=users,ou=contacts - mixing and matching the whats is kinda
doing my head in :-) almost need a way to have a what that id both
dn.children and attrs but that doesn't seem to be allowed ...

access to attrs="telephoneNumber,l,mobile,mozillaSecondEmail,homePostalAddress,displayName"
   by group="cn=tech,ou=authgroups,dc=rsp,dc=com,dc=au" write
   by group="cn=studio,ou=authgroups,dc=rsp,dc=com,dc=au" write
   by self write
   by * read
access to dn.children="ou=users,ou=contacts,dc=rsp,dc=com,dc=au"
   by group="cn=tech,ou=authgroups,dc=rsp,dc=com,dc=au" write
   by group="cn=studio,ou=authgroups,dc=rsp,dc=com,dc=au" write
   by * read
access to *
   by * read

Any help in "simplifying" this is greatly appreciated as this is only
the beginning of stuff I'm being asked to implement :-)

TIA
Shane.