A user has successfully created a number of data sets with NODE1.NODE2... that we believe they should not have been able to create.  Now they are getting not authorized for data set NODE1.NODE2.NODE3A and NODE1.NODE2.NODE3B which is correct.  Why were they able to create data sets starting with NODE1.NODE2.NODE3.MORE or NODE1.NODE2.NODE3.MORE.MORE?

Reviewed the console.log which showed security checks messages for user USER1 for the data sets in questioned.

ESFEM1030I ESM1: MLDAP ESM: USER1 AUTH request for "NODE1.NODE2.NODE3.MORE" satisfied by rule "**"

ESFEM1030I ESM1: MLDAP ESM: USER1 AUTH request for "NODE1.NODE2.NODE3.MORE.MORE" satisfied by rule "**"

ESFEM1030I ESM1: MLDAP ESM: USER1 AUTH request for "NODE1.NODE2.NODE3A" satisfied by rule "NODE1.NODE2.*"

ESFEM1030I ESM1: MLDAP ESM: USER1 AUTH request for "NODE1.NODE2.NODE3B" satisfied by rule "NODE1.NODE2.*"

These messages appeared on the console.log because the external security manager had the following tracing

[Trace]
Rule=y

Note the single * after NODE1.NODE2. this means the rule only applies to data sets of only 3 nodes that begins with NODE1.NODE2.
This means that  NODE1.NODE2.NODE3.MORE and NODE1.NODE2.NODE3.MORE.MORE would not apply to that Access Control List (ACL).

Modifing the Access Control List (ACL) name from NODE1.NODE2.* to NODE1.NODE2.** would allow any rules set for this user to apply to all 4 for the datasets not just the 2 that only had 3 nodes.