Hi Jay,We have a similar requirement.  "a user should not see any folder except one under a path." The approach mentioned by you is the optimal solution.I tried using deny and rep:glob=/* but the parent folder was still denied, then followed the below post toAEM: ACL Bug with Restrictions (rep:glob)...