access to dn.subtree="ou=useradm,dc=acme,dc=org" attrs=@acmeUserAccountThat works without sideeffects. Thank you :-) But I still don't understand why 2 has side effects.
@acmeUserAccount by itself is going to affect access to all the attributes that are in that objectClass. It's really just shorthand for that list of attributes in that objectClass. So if you used the some of the same attributes in your other tree, they would be affected as well. By adding the specific subtree restriction, then you no longer affect those attributes elsewhere.
--Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration