Have a look at the ACL security package, it goes a bit
more into this
direction. As far as I know it is possible to assign users/groups
only to be valid in a certain sub-tree.
Nope this was never done because we never came up with good
semantics.What happens if something (user, group, ...) is already
defined in a subtree/supertree? Does it matter where you login? What
happens if you leave your tree? Stuff like that.
In general it would be interesting it you could combine the different
security methods but this is not possible at the Moment.
Philippe