ACL trouble

[Frank Leonhardt]

I know there is more than one flavour of ACL but in general...

Imagine you have two groups - one "accounts" and another "dodgy". If it 
helps you could even have a third - "notdodgy" - which contains all the 
users not in "dodgy".

You have a resource, called "master-file". This must be accessible to 
everyone in accounts EXCEPT for those also in the dodgy group. That'a 
right - you have some dodgy accountants.

How do you do this?

The problem with ACLs, as I understand them, is that the system will 
search through until it finds an "allow" condition and only return 
"deny" if it completely fails. In other words, Group1 OR Group2 = Allow. 
I want a condition that says Group1 AND Group2 = Allow.

If this beyond what ACLs can do I have a clunky Plan B: a cron job that 
will maintain a third group called "notdodgyaccounts" and use that as a 
group owner "master-file", avoiding ACLs completely. But I thought ACLs 
were supposed to be the answer to everything.

Am I missing something?

Thanks, Frank.