ich trau mich fast nicht zu fragen 
Das eine Person in einer ACL alle anderen Rechte der Gruppen in der die Person auch noch vorkommt übersteuert weiss ich noch, wie war jetzt das mit den Gruppen??? Wenn ein User in zwei Gruppen vorkommt, die eine Gruppe mit Leserecht die andere mit Autorenrecht, welche Gruppe zieht nun 
vielen Dank
Pascal
Hier die komplette ACL-Auflösungslogik aus der Adminhilfe:
Order of evaluation for ACL entries
ACL entries are evaluated in a specific order to determine the access level that will be granted to an authenticated user trying to access the database. If a user fails to authenticate with a server, and the server permits access anyway, access will be computed as though the user's name was "Anonymous."
1.
The ACL first checks the user name to see if it matches an explicit entry in the ACL. The ACL checks all matching user names. For example, Sandra E Smith/West/Acme would match the entries Sandra E Smith/West/Acme/US and Sandra E Smith. In the event that two different entries for an individual have different access levels (for example, applied at different times by different administrators), the user trying to access the database would be granted the highest access level, as well as the union of the access privileges of the two entries for that user in the ACL. This can also happen if the user has alternate names.
Note:
If you enter only the common name in the ACL (for example, Sandra E Smith), then that entry matches only if the user's name and the database server are in the same domain hierarchy. For example, if the user is Sandra E Smith, whose hierarchical name is Sandra E Smith/West/Acme, and the database server is Manufacturing/FactoryCo, then the entry Sandra E Smith will not get the correct level of access for ACLs on the server Manufacturing/FactoryCo. The name must be entered in full hierarchical format in order for the user to obtain the correct level of access to ACLs on servers in other domains.
2.
If no match is made on the user name, the ACL then checks to see if there is a group name entry that can be matched. If an individual trying to access the database happens to match more than one group entry -- for example, if the person is a member of Sales and there are two group entries for Sales - Acme Sales and Sales Managers -- then the individual is granted the highest access level, as well as the union of the access privileges of the two entries for that group in the ACL.
Note:
If the user matches an explicit entry in the ACL, and is a member of a group that is also listed in the ACL, then the user always gets the level of access assigned to the explicit entry, even if the group access level is higher.
3.
If no match is made on the group name, the ACL then checks to see if there is a wildcard entry that can be matched. If the individual trying to access the database happens to match more than one wildcard entry, the individual is granted the highest access level, as well as the union of the access privileges of all of the wildcard entries that match.
4.
If a group entry and a wildcard entry both apply to a user attempting to access the database, then the user has the access assigned to the group entry. For example, if the group Sales has Reader access and the wildcard entry */West/Acme has Manager access, and both entries apply to a user, then the user has Reader access to the database.
5.
Lastly, if no match can be made from among the database ACL entries, the individual is granted the level of access defined for the -Default- entry.
