Hi, Just as a comment on the discussion about DENY rules in policies, my alternative suggestion was to have "allow" rules with a more complex syntax, e.g. something like: VOMS:/atlas/*:EXCEPT:/atlas/higgs which would match against any subgroup of atlas except higgs. That would be a bit harder to parse, but maybe still easier than a generic DENY rule. Stephen