The AIX scheme has two attributes: hostsallowed, hostsdenied - if I recall correctly. They are exclusive to each other, i.e., you specify what is allowed, all else is denied, or what is denied -...
If you have a chance to attend the TechU in Amsterdam or Athens this year I'll be doing a presentation/labs on RBAC and LDAP (installing ITDS from try and buy images). As I have time...