Hi, I have implemented a hierarchical access control with the following scheme: given the structure /a/b/c/d write access is granted if the AUTHENTICATED_USER has a role identical to the folder name or one of the parent folders, i.e. a user with role b can change contents of folders b, c, and d, but not a. I need to have a single user_folder and thus can't use a scheme similar to the content manager's guide .. It works like this: for all parents compare role to foldername if equal grant permission The problem is that one can change the access path by using acquisition, e.g. /a/b/a, so a user with only role b can now change folder a, too. is there a way to disallow acquisition for single folders or objects or any other way to make this work? thanks --Oliver