diff --git a/lib/cib/cib_file.c b/lib/cib/cib_file.c
index 5562e9e..aa68679 100644
--- a/lib/cib/cib_file.c
+++ b/lib/cib/cib_file.c
@@ -310,6 +310,12 @@ cib_file_perform_op_delegate(cib_t * cib, const char *op, const char *host, cons
     }
     crm_trace("Performing %s operation as %s", op, user_name);
 #endif
+
+    /* Mirror the logic in cib_prepare_common() */
+    if (section != NULL && data != NULL && crm_str_eq(crm_element_name(data), XML_TAG_CIB, TRUE)) {
+        data = get_object_root(section, data);
+    }
+
     rc = cib_perform_op(op, call_options, fn, query,
                         section, request, data, TRUE, &changed, in_mem_cib, &result_cib, &cib_diff,
                         &output);
diff --git a/lib/common/xml.c b/lib/common/xml.c
index f7779f5..54f1aa7 100644
--- a/lib/common/xml.c
+++ b/lib/common/xml.c
@@ -4848,8 +4848,13 @@ replace_xml_child(xmlNode * parent, xmlNode * child, xmlNode * update, gboolean
 
             xml_accept_changes(tmp);
             old = xmlReplaceNode(child, tmp);
-            xml_calculate_changes(old, tmp);
 
+            if(xml_tracking_changes(tmp)) {
+                /* Replaced sections may have included relevant ACLs */
+                __xml_acl_apply(tmp);
+            }
+
+            xml_calculate_changes(old, tmp);
             xmlDocSetRootElement(doc, old);
             free_xml(old);
         }
diff --git a/tools/regression.acls.exp b/tools/regression.acls.exp
index 2cea125..e05e339 100644
--- a/tools/regression.acls.exp
+++ b/tools/regression.acls.exp
@@ -17,11 +17,18 @@ A new shadow instance was created.  To begin using it paste the following into y
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
     </acls>
   </configuration>
   <status/>
@@ -47,11 +54,18 @@ A new shadow instance was created.  To begin using it paste the following into y
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
     </acls>
   </configuration>
   <status/>
@@ -78,11 +92,18 @@ A new shadow instance was created.  To begin using it paste the following into y
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
     </acls>
   </configuration>
   <status/>
@@ -109,11 +130,18 @@ A new shadow instance was created.  To begin using it paste the following into y
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
@@ -143,11 +171,18 @@ A new shadow instance was created.  To begin using it paste the following into y
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
@@ -180,11 +215,18 @@ A new shadow instance was created.  To begin using it paste the following into y
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
@@ -255,11 +297,18 @@ Call failed: Permission denied
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
@@ -301,11 +350,18 @@ __xml_acl_post_process: 	Creation of nvpair=cib-bootstrap-options-stonith-enable
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
@@ -345,11 +401,18 @@ Call failed: Permission denied
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
@@ -384,11 +447,18 @@ Call failed: Permission denied
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
@@ -425,11 +495,18 @@ Call failed: Permission denied
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
@@ -486,11 +563,18 @@ __xml_acl_post_process: 	Creation of nvpair=dummy-meta_attributes-target-role is
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
@@ -535,11 +619,18 @@ Stopped
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
@@ -582,11 +673,18 @@ Deleted dummy option: id=dummy-meta_attributes-target-role name=target-role
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
@@ -631,11 +729,18 @@ __xml_acl_post_process: 	Creation of nvpair=dummy-meta_attributes-target-role is
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
@@ -730,11 +835,18 @@ Call failed: Permission denied
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
@@ -778,11 +890,18 @@ Call failed: Permission denied
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
@@ -794,12 +913,12 @@ Call failed: Permission denied
   </configuration>
   <status/>
 </cib>
-=#=#=#= Begin test: niceguy: Replace - modify attribute =#=#=#=
+=#=#=#= Begin test: niceguy: Replace - modify attribute (deny) =#=#=#=
 __xml_acl_check: 	400 access denied to /cib[@epoch]: default
 __xml_acl_check: 	400 access denied to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]: default
 Call failed: Permission denied
-=#=#=#= End test: niceguy: Replace - modify attribute - Permission denied (13) =#=#=#=
-* Passed: cibadmin       - niceguy: Replace - modify attribute
+=#=#=#= End test: niceguy: Replace - modify attribute (deny) - Permission denied (13) =#=#=#=
+* Passed: cibadmin       - niceguy: Replace - modify attribute (deny)
 <cib epoch="13" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
@@ -825,11 +944,18 @@ Call failed: Permission denied
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
@@ -841,12 +967,12 @@ Call failed: Permission denied
   </configuration>
   <status/>
 </cib>
-=#=#=#= Begin test: niceguy: Replace - delete attribute =#=#=#=
+=#=#=#= Begin test: niceguy: Replace - delete attribute (deny) =#=#=#=
 __xml_acl_check: 	400 access denied to /cib[@epoch]: default
 __xml_acl_check: 	400 access denied to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl']: default
 Call failed: Permission denied
-=#=#=#= End test: niceguy: Replace - delete attribute - Permission denied (13) =#=#=#=
-* Passed: cibadmin       - niceguy: Replace - delete attribute
+=#=#=#= End test: niceguy: Replace - delete attribute (deny) - Permission denied (13) =#=#=#=
+* Passed: cibadmin       - niceguy: Replace - delete attribute (deny)
 <cib epoch="13" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
@@ -872,11 +998,18 @@ Call failed: Permission denied
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
@@ -888,12 +1021,161 @@ Call failed: Permission denied
   </configuration>
   <status/>
 </cib>
-=#=#=#= Begin test: niceguy: Replace - create attribute =#=#=#=
+=#=#=#= Begin test: niceguy: Replace - create attribute (deny) =#=#=#=
 __xml_acl_check: 	400 access denied to /cib[@epoch]: default
 __xml_acl_check: 	400 access denied to /cib/configuration/resources/primitive[@id='dummy'][@description]: default
 Call failed: Permission denied
-=#=#=#= End test: niceguy: Replace - create attribute - Permission denied (13) =#=#=#=
-* Passed: cibadmin       - niceguy: Replace - create attribute
+=#=#=#= End test: niceguy: Replace - create attribute (deny) - Permission denied (13) =#=#=#=
+* Passed: cibadmin       - niceguy: Replace - create attribute (deny)
+<cib epoch="13" num_updates="0" admin_epoch="0">
+  <configuration>
+    <crm_config>
+      <cluster_property_set id="cib-bootstrap-options">
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+      </cluster_property_set>
+    </crm_config>
+    <nodes/>
+    <resources>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting">
+        <meta_attributes id="dummy-meta_attributes">
+          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+        </meta_attributes>
+      </primitive>
+    </resources>
+    <constraints/>
+    <acls>
+      <acl_user id="l33t-haxor">
+        <deny id="crook-nothing" xpath="/cib"/>
+      </acl_user>
+      <acl_user id="niceguy">
+        <role_ref id="observer"/>
+      </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
+      <acl_role id="observer">
+        <read id="observer-read-1" xpath="/cib"/>
+        <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+        <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+      </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_user id="badidea">
+        <read id="badidea-resources" xpath="//meta_attributes"/>
+      </acl_user>
+      <acl_user id="betteridea">
+        <deny id="betteridea-nothing" xpath="/cib"/>
+        <read id="betteridea-resources" xpath="//meta_attributes"/>
+      </acl_user>
+    </acls>
+  </configuration>
+  <status/>
+</cib>
+=#=#=#= Begin test: bob: Replace - create attribute (allow) =#=#=#=
+=#=#=#= End test: bob: Replace - create attribute (allow) - OK (0) =#=#=#=
+* Passed: cibadmin       - bob: Replace - create attribute (allow)
+<cib epoch="14" num_updates="0" admin_epoch="0">
+  <configuration>
+    <crm_config>
+      <cluster_property_set id="cib-bootstrap-options">
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+      </cluster_property_set>
+    </crm_config>
+    <nodes/>
+    <resources>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting">
+        <meta_attributes id="dummy-meta_attributes">
+          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+        </meta_attributes>
+      </primitive>
+    </resources>
+    <constraints/>
+    <acls>
+      <acl_user id="l33t-haxor">
+        <deny id="crook-nothing" xpath="/cib"/>
+      </acl_user>
+      <acl_user id="niceguy">
+        <role_ref id="observer"/>
+      </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
+      <acl_role id="observer">
+        <read id="observer-read-1" xpath="/cib"/>
+        <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+        <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+      </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_user id="badidea">
+        <read id="badidea-resources" xpath="//meta_attributes"/>
+      </acl_user>
+      <acl_user id="betteridea">
+        <deny id="betteridea-nothing" xpath="/cib"/>
+        <read id="betteridea-resources" xpath="//meta_attributes"/>
+      </acl_user>
+    </acls>
+  </configuration>
+  <status/>
+</cib>
+=#=#=#= Begin test: bob: Replace - modify attribute (allow) =#=#=#=
+=#=#=#= End test: bob: Replace - modify attribute (allow) - OK (0) =#=#=#=
+* Passed: cibadmin       - bob: Replace - modify attribute (allow)
+<cib epoch="15" num_updates="0" admin_epoch="0">
+  <configuration>
+    <crm_config>
+      <cluster_property_set id="cib-bootstrap-options">
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+      </cluster_property_set>
+    </crm_config>
+    <nodes/>
+    <resources>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
+    </resources>
+    <constraints/>
+    <acls>
+      <acl_user id="l33t-haxor">
+        <deny id="crook-nothing" xpath="/cib"/>
+      </acl_user>
+      <acl_user id="niceguy">
+        <role_ref id="observer"/>
+      </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
+      <acl_role id="observer">
+        <read id="observer-read-1" xpath="/cib"/>
+        <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+        <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+      </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_user id="badidea">
+        <read id="badidea-resources" xpath="//meta_attributes"/>
+      </acl_user>
+      <acl_user id="betteridea">
+        <deny id="betteridea-nothing" xpath="/cib"/>
+        <read id="betteridea-resources" xpath="//meta_attributes"/>
+      </acl_user>
+    </acls>
+  </configuration>
+  <status/>
+</cib>
+=#=#=#= Begin test: bob: Replace - delete attribute (allow) =#=#=#=
+=#=#=#= End test: bob: Replace - delete attribute (allow) - OK (0) =#=#=#=
+* Passed: cibadmin       - bob: Replace - delete attribute (allow)
 
 
     !#!#!#!#! Upgrading to pacemaker-2.0 and retesting !#!#!#!#!
@@ -901,6 +1183,8 @@ Call failed: Permission denied
 __xml_acl_post_process: 	Creation of acl_permission=observer-read-1 is allowed
 __xml_acl_post_process: 	Creation of acl_permission=observer-write-1 is allowed
 __xml_acl_post_process: 	Creation of acl_permission=observer-write-2 is allowed
+__xml_acl_post_process: 	Creation of acl_permission=admin-read-1 is allowed
+__xml_acl_post_process: 	Creation of acl_permission=admin-write-1 is allowed
 __xml_acl_post_process: 	Creation of acl_permission=crook-nothing is allowed
 __xml_acl_post_process: 	Creation of acl_permission=badidea-resources is allowed
 __xml_acl_post_process: 	Creation of acl_permission=betteridea-nothing is allowed
@@ -917,11 +1201,7 @@ __xml_acl_post_process: 	Creation of acl_permission=betteridea-resources is allo
     </crm_config>
     <nodes/>
     <resources>
-      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
-        <meta_attributes id="dummy-meta_attributes">
-          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
-        </meta_attributes>
-      </primitive>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
     </resources>
     <constraints/>
     <acls>
@@ -934,11 +1214,18 @@ __xml_acl_post_process: 	Creation of acl_permission=betteridea-resources is allo
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
+      <acl_target id="bob">
+        <role id="admin"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
@@ -1019,11 +1306,18 @@ Call failed: Permission denied
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
+      <acl_target id="bob">
+        <role id="admin"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
@@ -1073,11 +1367,18 @@ Error setting enable-acl=false (section=crm_config, set=<null>): Permission deni
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
+      <acl_target id="bob">
+        <role id="admin"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
@@ -1126,11 +1427,18 @@ Call failed: Permission denied
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
+      <acl_target id="bob">
+        <role id="admin"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
@@ -1174,11 +1482,18 @@ Call failed: Permission denied
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
+      <acl_target id="bob">
+        <role id="admin"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
@@ -1224,11 +1539,18 @@ Call failed: Permission denied
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
+      <acl_target id="bob">
+        <role id="admin"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
@@ -1294,11 +1616,18 @@ __xml_acl_post_process: 	Creation of nvpair=dummy-meta_attributes-target-role is
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
+      <acl_target id="bob">
+        <role id="admin"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
@@ -1352,11 +1681,18 @@ Stopped
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
+      <acl_target id="bob">
+        <role id="admin"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
@@ -1408,11 +1744,18 @@ Deleted dummy option: id=dummy-meta_attributes-target-role name=target-role
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
+      <acl_target id="bob">
+        <role id="admin"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
@@ -1466,11 +1809,18 @@ __xml_acl_post_process: 	Creation of nvpair=dummy-meta_attributes-target-role is
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
+      <acl_target id="bob">
+        <role id="admin"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
@@ -1574,11 +1924,18 @@ Call failed: Permission denied
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
+      <acl_target id="bob">
+        <role id="admin"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
@@ -1631,11 +1988,18 @@ Call failed: Permission denied
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
+      <acl_target id="bob">
+        <role id="admin"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
@@ -1653,12 +2017,12 @@ Call failed: Permission denied
   </configuration>
   <status/>
 </cib>
-=#=#=#= Begin test: niceguy: Replace - modify attribute =#=#=#=
+=#=#=#= Begin test: niceguy: Replace - modify attribute (deny) =#=#=#=
 __xml_acl_check: 	400 access denied to /cib[@epoch]: default
 __xml_acl_check: 	400 access denied to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]: default
 Call failed: Permission denied
-=#=#=#= End test: niceguy: Replace - modify attribute - Permission denied (13) =#=#=#=
-* Passed: cibadmin       - niceguy: Replace - modify attribute
+=#=#=#= End test: niceguy: Replace - modify attribute (deny) - Permission denied (13) =#=#=#=
+* Passed: cibadmin       - niceguy: Replace - modify attribute (deny)
 <cib epoch="14" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
@@ -1687,11 +2051,18 @@ Call failed: Permission denied
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
+      <acl_target id="bob">
+        <role id="admin"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
@@ -1709,12 +2080,12 @@ Call failed: Permission denied
   </configuration>
   <status/>
 </cib>
-=#=#=#= Begin test: niceguy: Replace - delete attribute =#=#=#=
+=#=#=#= Begin test: niceguy: Replace - delete attribute (deny) =#=#=#=
 __xml_acl_check: 	400 access denied to /cib[@epoch]: default
 __xml_acl_check: 	400 access denied to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl']: default
 Call failed: Permission denied
-=#=#=#= End test: niceguy: Replace - delete attribute - Permission denied (13) =#=#=#=
-* Passed: cibadmin       - niceguy: Replace - delete attribute
+=#=#=#= End test: niceguy: Replace - delete attribute (deny) - Permission denied (13) =#=#=#=
+* Passed: cibadmin       - niceguy: Replace - delete attribute (deny)
 <cib epoch="14" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
@@ -1743,11 +2114,18 @@ Call failed: Permission denied
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
+      <acl_target id="bob">
+        <role id="admin"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
@@ -1765,9 +2143,185 @@ Call failed: Permission denied
   </configuration>
   <status/>
 </cib>
-=#=#=#= Begin test: niceguy: Replace - create attribute =#=#=#=
+=#=#=#= Begin test: niceguy: Replace - create attribute (deny) =#=#=#=
 __xml_acl_check: 	400 access denied to /cib[@epoch]: default
 __xml_acl_check: 	400 access denied to /cib/configuration/resources/primitive[@id='dummy'][@description]: default
 Call failed: Permission denied
-=#=#=#= End test: niceguy: Replace - create attribute - Permission denied (13) =#=#=#=
-* Passed: cibadmin       - niceguy: Replace - create attribute
+=#=#=#= End test: niceguy: Replace - create attribute (deny) - Permission denied (13) =#=#=#=
+* Passed: cibadmin       - niceguy: Replace - create attribute (deny)
+<cib epoch="14" num_updates="0" admin_epoch="0">
+  <configuration>
+    <crm_config>
+      <cluster_property_set id="cib-bootstrap-options">
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+      </cluster_property_set>
+    </crm_config>
+    <nodes/>
+    <resources>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting">
+        <meta_attributes id="dummy-meta_attributes">
+          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+        </meta_attributes>
+      </primitive>
+    </resources>
+    <constraints/>
+    <acls>
+      <acl_target id="l33t-haxor">
+        <role id="auto-l33t-haxor"/>
+      </acl_target>
+      <acl_role id="auto-l33t-haxor">
+        <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+      </acl_role>
+      <acl_target id="niceguy">
+        <role id="observer"/>
+      </acl_target>
+      <acl_target id="bob">
+        <role id="admin"/>
+      </acl_target>
+      <acl_role id="observer">
+        <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+        <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+      </acl_role>
+      <acl_role id="admin">
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_target id="badidea">
+        <role id="auto-badidea"/>
+      </acl_target>
+      <acl_role id="auto-badidea">
+        <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+      </acl_role>
+      <acl_target id="betteridea">
+        <role id="auto-betteridea"/>
+      </acl_target>
+      <acl_role id="auto-betteridea">
+        <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+        <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+      </acl_role>
+    </acls>
+  </configuration>
+  <status/>
+</cib>
+=#=#=#= Begin test: bob: Replace - create attribute (allow) =#=#=#=
+=#=#=#= End test: bob: Replace - create attribute (allow) - OK (0) =#=#=#=
+* Passed: cibadmin       - bob: Replace - create attribute (allow)
+<cib epoch="15" num_updates="0" admin_epoch="0">
+  <configuration>
+    <crm_config>
+      <cluster_property_set id="cib-bootstrap-options">
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+      </cluster_property_set>
+    </crm_config>
+    <nodes/>
+    <resources>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting">
+        <meta_attributes id="dummy-meta_attributes">
+          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+        </meta_attributes>
+      </primitive>
+    </resources>
+    <constraints/>
+    <acls>
+      <acl_target id="l33t-haxor">
+        <role id="auto-l33t-haxor"/>
+      </acl_target>
+      <acl_role id="auto-l33t-haxor">
+        <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+      </acl_role>
+      <acl_target id="niceguy">
+        <role id="observer"/>
+      </acl_target>
+      <acl_target id="bob">
+        <role id="admin"/>
+      </acl_target>
+      <acl_role id="observer">
+        <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+        <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+      </acl_role>
+      <acl_role id="admin">
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_target id="badidea">
+        <role id="auto-badidea"/>
+      </acl_target>
+      <acl_role id="auto-badidea">
+        <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+      </acl_role>
+      <acl_target id="betteridea">
+        <role id="auto-betteridea"/>
+      </acl_target>
+      <acl_role id="auto-betteridea">
+        <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+        <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+      </acl_role>
+    </acls>
+  </configuration>
+  <status/>
+</cib>
+=#=#=#= Begin test: bob: Replace - modify attribute (allow) =#=#=#=
+=#=#=#= End test: bob: Replace - modify attribute (allow) - OK (0) =#=#=#=
+* Passed: cibadmin       - bob: Replace - modify attribute (allow)
+<cib epoch="16" num_updates="0" admin_epoch="0">
+  <configuration>
+    <crm_config>
+      <cluster_property_set id="cib-bootstrap-options">
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+      </cluster_property_set>
+    </crm_config>
+    <nodes/>
+    <resources>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
+    </resources>
+    <constraints/>
+    <acls>
+      <acl_target id="l33t-haxor">
+        <role id="auto-l33t-haxor"/>
+      </acl_target>
+      <acl_role id="auto-l33t-haxor">
+        <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+      </acl_role>
+      <acl_target id="niceguy">
+        <role id="observer"/>
+      </acl_target>
+      <acl_target id="bob">
+        <role id="admin"/>
+      </acl_target>
+      <acl_role id="observer">
+        <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+        <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+      </acl_role>
+      <acl_role id="admin">
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_target id="badidea">
+        <role id="auto-badidea"/>
+      </acl_target>
+      <acl_role id="auto-badidea">
+        <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+      </acl_role>
+      <acl_target id="betteridea">
+        <role id="auto-betteridea"/>
+      </acl_target>
+      <acl_role id="auto-betteridea">
+        <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+        <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+      </acl_role>
+    </acls>
+  </configuration>
+  <status/>
+</cib>
+=#=#=#= Begin test: bob: Replace - delete attribute (allow) =#=#=#=
+=#=#=#= End test: bob: Replace - delete attribute (allow) - OK (0) =#=#=#=
+* Passed: cibadmin       - bob: Replace - delete attribute (allow)
diff --git a/tools/regression.sh b/tools/regression.sh
index 0c4896c..63f4445 100755
--- a/tools/regression.sh
+++ b/tools/regression.sh
@@ -487,7 +487,7 @@ function test_acl_loop() {
     CIB_user=root CIB_file=/tmp/$$.haxor.xml CIB_shadow="" crm_attribute -n enable-acl -v false
     CIB_user=root CIB_file=/tmp/$$.haxor.xml CIB_shadow="" cibadmin -Ql
 
-    desc="$CIB_user: Replace - modify attribute"
+    desc="$CIB_user: Replace - modify attribute (deny)"
     cmd="cibadmin --replace --xml-file /tmp/$$.haxor.xml"
     test_assert 13 0
 
@@ -495,7 +495,7 @@ function test_acl_loop() {
     CIB_user=root CIB_file=/tmp/$$.haxor.xml CIB_shadow="" cibadmin --replace --xml-text '<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl"/>'
     CIB_user=root CIB_file=/tmp/$$.haxor.xml CIB_shadow="" cibadmin -Ql
 
-    desc="$CIB_user: Replace - delete attribute"
+    desc="$CIB_user: Replace - delete attribute (deny)"
     cmd="cibadmin --replace --xml-file /tmp/$$.haxor.xml"
     test_assert 13 0
 
@@ -503,10 +503,36 @@ function test_acl_loop() {
     CIB_user=root CIB_file=/tmp/$$.haxor.xml CIB_shadow="" cibadmin --modify --xml-text '<primitive id="dummy" description="nothing interesting"/>'
     CIB_user=root CIB_file=/tmp/$$.haxor.xml CIB_shadow="" cibadmin -Ql
 
-    desc="$CIB_user: Replace - create attribute"
+    desc="$CIB_user: Replace - create attribute (deny)"
     cmd="cibadmin --replace --xml-file /tmp/$$.haxor.xml"
     test_assert 13 0
     rm -rf /tmp/$$.haxor.xml
+
+
+    CIB_user=bob
+    CIB_user=root cibadmin -Q > /tmp/$$.haxor.xml
+    CIB_user=root CIB_file=/tmp/$$.haxor.xml CIB_shadow="" cibadmin --modify --xml-text '<primitive id="dummy" description="nothing interesting"/>'
+    CIB_user=root CIB_file=/tmp/$$.haxor.xml CIB_shadow="" cibadmin -Ql
+
+    desc="$CIB_user: Replace - create attribute (allow)"
+    cmd="cibadmin --replace -o resources --xml-file /tmp/$$.haxor.xml"
+    test_assert 0 0
+
+    CIB_user=root cibadmin -Q > /tmp/$$.haxor.xml
+    CIB_user=root CIB_file=/tmp/$$.haxor.xml CIB_shadow="" cibadmin --modify --xml-text '<primitive id="dummy" description="something interesting"/>'
+    CIB_user=root CIB_file=/tmp/$$.haxor.xml CIB_shadow="" cibadmin -Ql
+
+    desc="$CIB_user: Replace - modify attribute (allow)"
+    cmd="cibadmin --replace -o resources --xml-file /tmp/$$.haxor.xml"
+    test_assert 0 0
+
+    CIB_user=root cibadmin -Q > /tmp/$$.haxor.xml
+    CIB_user=root CIB_file=/tmp/$$.haxor.xml CIB_shadow="" cibadmin --replace -o resources --xml-text '<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>'
+    CIB_user=root CIB_file=/tmp/$$.haxor.xml CIB_shadow="" cibadmin -Ql
+
+    desc="$CIB_user: Replace - delete attribute (allow)"
+    cmd="cibadmin --replace -o resources --xml-file /tmp/$$.haxor.xml"
+    test_assert 0 0
 }
 
 function test_acls() {
@@ -522,11 +548,18 @@ function test_acls() {
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
     </acls>
 EOF