Discovered an instance recently where someone want to restrict access to an area of the file system (IRF)
Try as they might they couldn't block a certain user.

Investigation found that this user was getting the rights from an RBS role - PwdPolicyManagement, which was granting S Entry rights to the scope ([Root] !;-)

I have found the article Eliminate Excessive RBS Granted Rights for Password Sync Status Check | Novell User Communities but just wondered what other people are doing? especially where service desk, etc. still require ConsoleOne, etc.