I just noticed that AccessControlUtil.replaceAccessControlEntry searches for a match on ACE within an ACL using the principal only. (and not the grant or deny as well)
So if there was a grant acl and the replacement is a deny, then the grant is removed, even if the deny did not deny what was granted (I think I better give and example :) ) before grant:ieb:jcr:write update with deny:ieb:jcr:nodeTypeManagement after update deny:ieb:jcr:nodeTypeManagement ---- I think, the ACLTemplate in JCR2 will support grant:ieb:jcr:write deny:ieb:jcr:nodeTypeManagement in a single ACL, perhaps the replace should look at both the principal and the allow/deny WDYT? Ian
