I'm trying to set up a single rule in iManager(2.7/BM3.9sp1) to allow individual users or users within an OU through the proxy server.

If I set up a blank HTTP allow rule, I can get through. As soon as I try to add my own user's container or username to the rule, I get a 403 error.

I've tried deleting and recreating the rule several times.
I've tried browsing for OU, CN and keying them in directly. Also tried just CN, just OU, and CN + OU (and OU + CN).

Server console responds every time I apply changes. I can't see any other way to do it or any options I haven't tried. Anyone know what I'm doing wrong?