# $Id$

*.userPassword
    *: read,deny # the deny will mask the read

user.CREATE
    user1: write

user.{sn,\
    givenName} # user can change their name
    $cn: write,read
    %tgroup: read

group.*
    %admin: read, write

*.*
    *:read