# Test the principal-centered ACL syntax

set ACL for user1,u2
    remove * on /libs,/apps
    allow jcr:read on /content

    deny jcr:write on /apps
    
    # Optional nodetypes clause
    deny jcr:lockManagement on /apps, /content nodetypes sling:Folder, nt:unstructured
    # nodetypes clause with restriction clause
    deny jcr:modifyProperties on /apps, /content nodetypes sling:Folder, nt:unstructured restriction(rep:itemNames,prop1,prop2)
    remove jcr:understand,some:other on /apps

    # multi value restriction
    allow jcr:addChildNodes on /apps restriction(rep:ntNames,sling:Folder,nt:unstructured)

    # multiple restrictions
    allow jcr:modifyProperties on /apps restriction(rep:ntNames,sling:Folder,nt:unstructured) restriction(rep:itemNames,prop1,prop2)

    # restrictions with glob patterns
    allow jcr:addChildNodes on /apps,/content restriction(rep:glob,/cat,/cat/,cat)
    allow jcr:addChildNodes on /apps,/content restriction(rep:glob,cat/,*,*cat)
    allow jcr:addChildNodes on /apps,/content restriction(rep:glob,/cat/*,*/cat,*cat/*)
end